Hi, Did you figure it out for this issue? Was it related to full patching settings vs minimal patching or something else? Alternatively, if applications are web based, then can be configured as application tunnel with Chrome or any other browser. 

please ensure that oneconnect profile is enabled on the http profile assigned to the vs, so that bigip can use 1 server side tcp connection for multiple client sessions.
as 1 tcp session equals to 1 tls/ssl session, hence reducing number of server side tcp session will also reduce the number of server side tls session.

you might also need to reduce tls cipher set strength of the server "side" ssl profile to reduce server processing load, e.g:

• only use aes 128 bit and disable aes aes 256 or higher
• disable ecdhe / dhe , hence it will only use rsa/dsa

additionally, ensure that server uses hardware accelerated aes (intel/amd aes-ni).

You might want to try bypassing the clientside of the BIG-IP --> Portal Resource HTTPS connection's certificate verification by setting the serverssl profile to "ignore" the server's certificate, here:

Aside from the other great suggestions, I recommend planning a major code upgrade.  Minimum 16.1.x if you can't get to v17.1.x.  v15.1 code train goes End of Software Development at the end of 2024.

K5903: BIG-IP software support policy

https://my.f5.com/manage/s/article/K5903