SSL VPN et Client certificate authentication

Hi, We are trying to use APM (v12.1.2) to provide a network access using SSL VPN. The first control we make is a client certificate authentication. This authentification is NOT configured on LTM using clientssl profile but only using the APM "On-demand Cert Auth" agent. Once all the security control are passed, the "tunnel" is opened between the edge client and the big-ip using an new SSL/TCP connection. This connection is maintained during all the user session. I need to know if this "last" SSL/TCP connection is negociated using the client certificate (the one check on the APM "On-demand Cert Auth" agent). Could you please tell me if this is the case and how to ealy control it ? Thank you