Unfortunately, there were no reference material, just good ole trial and error...Here is some steps we went through. Just keep in mind that you need to use Kerberos for your backend authentication. Good luck.
SAML with OKTA
1. Create a new URL to be used. (e.g. https://host.domain.com/sp)
2. Configure the DNS record
3. OKTA side: Configure OKTA setting and export metadata
4. On F5, go to Access Policy | SAML | BigIP as SP, and create a new iDP object using the metadata from step 3
5. Browse for the Metadata file and select a name (something descriptive to what service it will be used for; e.g., OKTA_SERVICE-iDP)
6. Under the Assertion settings, change the Identity Locations to “Attribute” and type in “upn”
7. Once created, go to Access Policy | SAML | BigIP as SP and for Local SP Service click Create
8. Select a name for the SP Service (something descriptive to what service it will be used for; e.g., OKTA_SERVICE-SP). For the Enitiy ID, enter the URL provided in step 1 above (https://host.domain.com/sp)
9. After creating the Local SP Service, highlight the SP service just created and select “Bind/Unbind iDP connector”
10. Click “Add New Row”, and choose the SAML IdP Connector and choose update