two F5 iApp Citrix gateways behind same SSL LB

We need to migration from NetScaler to BigIP. 

On NetScaler we have two StoreFront FQDNs and they resolve to same VIP on one same Citrix Gateway. In other words, one same Citrix gateway provide service to two different Storefront URLs. We do this because of strict firewall rules between users and our NetScaler, they are managed by different IT teams. End-user doesn't have to whitelist another IP in their firewalls so we can re-use same IP to provide another storefront for end-user. This IP has been allowed for years. 

The citrix gateway has session policies checking host in http header so forward the traffic to different backend storefront with -wihome parameter.  If user access FQDN_A then session policy matches and session action will forward the traffic to -wihome Storefront_URL_A.  If user access FQDN_B then session policy matches and session action will forward the traffic to -wihome Storefront_URL_B.  This setup works fine on NetScaler for more than two years.

On F5 BigIP we created two gateways with iApp template. Each iApp gateway can support one Storefront FQDN so we create two gateways with iApp. 

Two FQDN resolve to same IP on NetScaler so we create a generic SSL LB in front of two iApp gateways and attached SNI based traffic policy. 

Now the issue is the user can login and authenticate with different FQDN, see storefronts UI, see allowed apps icon, get .ICA file but Citrix Workspace cannot establish VDI session with the ICA file.  Citrix workspace stuck at "Opening the resource Connection in progress..." and failed at "Unable to start unable to launch your applications due to an internal error. Contact your system administrator."

ICA works so I think the traffic from end-users to each iApp gateways through the front LB work and traffic policy works based on SNI check. 

Not sure why ICA work but VDI fails through LB.  However, if I move the IP to one of iApp gateways, both ICA and VDI can work without problem.

Thank you for your assistance.