Forum Discussion
Thought I'd return to answer my own question for posterity and in the hopes it might be of some help to those who come after me.
I've split the iRule into two. The first iRule will add the certificate thumbprint as a new SOAP header to the payload and inspect the "Organisation" element in the payload to figure out how to route. Instead of routing to a pool, however, it now routes to a virtual server (virtual [servername]). This gives me a hook to introduce a second iRule that I've attached to the target virtual server (the one we routed to in iRule 1).
The second iRule handles the CLIENT_ACCEPTED event and stores the [TCP::local_port] in a variable which is later used in the HTTP_REQUEST_DATA handler when I insert the SOAP To header. Probably worth noting that I'm also replacing the Host and Location HTTP headers, but this really has no bearing on inserting some or all of the final virtual server's address in the payload.
One last thing I'll mention is the content-length header. I ended up storing it away during the HTTP_REQUEST_DATA handler (after I've made all payload modifications, of course) and then I trap the HTTP_REQUEST_SEND and insert the content-length header with the new payload length. I do this on BOTH iRules. That is, the first iRule will upsert the header (clients may include it) with the new length and the second iRule inserts (because it seems to disappear) the header with a re-calculated length (set payloadLength [HTTP::payload length]).
And so I commit this to the void.