Request client cert auth based on URL

So this seems to work however it is only inserted when refreshing the webpage so it needs two consecutive HTTP request, in this use case could work because there are in fact 2 consecutive request first GET then POST with exact same URL, but find it very strange that the HTTP_REQUEST insert header event cannot grab the initial CLIENTSSL_CLIENTCERT. Perhaps this is caused due to the following order:

The matching URL is matched then client cert authentication is negotiated to the client. Then the Certificate is received and stored and is only available for next HTTP request, does that makse sense? Perhaps moving the header insertion to HTTP_REQUEST_RELEASE would fix this.... 

when RULE_INIT {
set static::cert 0
}
when CLIENTSSL_CLIENTCERT { 
if {[SSL::cert count] > 0}{
log local0. "start CLIENTSSL_CLIENTCERT" 
set static::cert [X509::whole [SSL::cert 0]]
log local0. "end CLIENTSSL_CLIENTCERT with cert value $static::cert" }
}
 
when HTTP_REQUEST {
if {[class match [string tolower [HTTP::uri]] contains DG_ACC_NO_CERT_AUTH] && [HTTP::path] == "/nidp/idff/sso"}{
   log local0. "certificate not inserted and header SSL_CLIENT_CERT value is: [HTTP::header value SSL_CLIENT_CERT] for host [HTTP::host] and URI: [HTTP::uri] and clientip: [IP::client_addr] "
   return
}
elseif { [class match [string tolower [HTTP::uri]] contains DG_ACC_CERT_AUTH] && [HTTP::path] == "/nidp/idff/sso"}{   
SSL::session invalidate
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode request
SSL::renegotiate enable
SSL::renegotiate
HTTP::header insert SSL_CLIENT_CERT [b64encode $static::cert]
log local0. "certificate inserted and header SSL_CLIENT_CERT value is: [HTTP::header value SSL_CLIENT_CERT] for host [HTTP::host] and URI: [HTTP::uri] and clientip: [IP::client_addr]"
}
}