SSO and iRules

My observation is that 98% of the time, an HTTPS monitor is going to fail because of the SSL handshake. The important first step then is to understand where exactly it's failing. If you have access to the server side VLAN, between the BIG-IP and servers, launch an SSLDUMP and listen to the SSL handshakes:

ssldump -AdNn -i [interface or VLAN name] port 443 [and any additional capture filters]

You'll very likely see something wrong here, either side sending an alert or reset and some important step of the process. Alternatively you can attempt to simulate an SSL monitor request directly from the command line. You can either use cURL or openssl s_client. The latter will give you more flexibility in the SSL handshake parameters.

openssl s_client -connect x.x.x.x:443

where x.x.x.x is the server's IP. If the SSL/TLS handshake succeeds, you can then manually issue the HTTP GET request. The following is a minimal example:

GET / HTTP/1.1
Host: www.foo.com
[skip a line]

If that returns a valid HTTP response, an no SSL errors were seen in the SSLDUMP capture, plan C is to attempt to decrypt that SSL between the two parties, also with SSLDUMP, and to see if the HTTP request (and response) are what you expect them to be.