OCSP responder profile with client cert set to "request", for multiple CAs;

You'd basically have an access policy that starts with an On-Demand cert auth agent that is followed by an iRule agent. That iRule would parse the client cert looking for either an AIA field or CRLDP. Depending on the logic you choose (ie. if AIA and CRLDP exist, always choose the AIA, or something like that), you'd set an access session variable. Out of the iRule event agent you'd have an empty agent and a set of branch conditions that evaluates this session variable and then routes the logic flow through an OCSP auth agent or CRLDP auth agent.

The APM CRLDP agent has been able to support HTTP and LDAP URLs since (I think 11.3).