Policy check sequence within a virtual server

So are you decrypting and reencrypting on the primary VIP? If so, do you also decrypt on the secondary's so as to be able to use cookie persistence? Is each secondary hosting/connecting-to a different application? Just curious as to whether your policy is generic enough to be applicable to the apps behind each secondary. I know that for our custom-built webapp I've had to do a fair amount of policy tuning because of how extensive the app is, so it's really only (or most) applicable for our app (a K-12 Student Information System).

I'm still learning myself but it would seem to make sense to have One-connect, SNAT, etc on the secondaries as they are creating/using the TCP sessions to the pool members.