Trouble with Smart Card Login to the F5 Web Management UI

I've read https://devcentral.f5.com/questions/smart-card-login-to-f5-web-management and https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-user-account-administration-12-0-0/6.html but I'm having trouble getting smart cards to work to login to the web management console of the F5 itself. We are a Active Directory shop (2012), and if we need to tweak our Smart Card certs for this, we can.

I can get the management site to verify the client cert, but no authentication happens--you just land at the login page (where you can enter name/password, and it successfully authenticates, but that defeats the purpose).

I've uploaded our internal root CA certificate to the Apache Certificates store, and configured httpd as follows (note: the GUI for cert-LDAP piece ALWAYS turns on OCSP checking, regardless of the setting--this is really annoying):

    sys httpd {
        auth-pam-idle-timeout 1800
        log-level debug
        ssl-ca-cert-file /Common/InternaCA-cert
        ssl-ciphersuite DEFAULT:!3DES:!LOW:!MD5:!EXPORT
        ssl-verify-client require
        ssl-verify-depth 20
    }

And then have tried several variations on the following (the subject of our Smart Card certs is the DistinguishedName, and we have the userPrincipalName in the subject alternate name-these accounts don't have email addresses). The accounts/domains are sanitized in the code below:

     auth cert-ldap system-auth {
        bind-dn "CN=LDAP Runner,OU=Other,OU=Users-Internal,DC=contoso,DC=com"
        bind-pw BINDPASSWORD
        check-roles-group enabled
        debug enabled
        login-attribute sAMAccountName
        login-name userPrincipalName
        search-base-dn OU=Users-Internal,DC=Contoso,DC=com
        servers { dc8.contoso.com }
        ssl-cname-field san-other
        ssl-cname-otheroid 1.3.6.1.4.1.311.20.2.3
        sso on
    }

I've tried combinations of the CN and OID for the UPN. Watching the tcpdump traffic, I can see that there's no LDAP traffic at all (unless you enter the user name and password in the forms). The httpd logs aren't showing anything that seems useful, though lots and lots of:

 Sep 23 18:04:30 F502EU err httpd[21790]: [error] [client 127.0.0.1] AUTHCACHE PAM: user 'admin' - not authenticated: Authentication failure

Which corresponsds to lots and lots of:

    Sep 23 19:10:19 F502EU err httpd[22289]: [error] [client 127.0.0.1] AUTHCACHE PAM: user 'admin' - not authenticated: Authentication failure
    Sep 23 19:10:19 F502EU info httpd(pam_audit)[22289]: User=admin tty=(unknown) host=127.0.0.1 failed to login after 1 attempts (start="Fri Sep 23 19:10:17 2016" end="Fri Sep 23 19:10:19 2016").

What am I missing?