When is HTTP_RESPONSE not fired?

The HTTP_RESPONSE is triggered for egress HTTP traffic through the box. The logon VIP in an APM multi-domain configuration doesn't trigger the HTTP_RESPONSE event because it handles all responses locally. Your best bet here, unfortunately, is to layer the APM logon VIP behind an LTM VIP that can see the HTTP response traffic from the APM VIP. You'd use a very simple iRule on the LTM VIP:

when HTTP_REQUEST {
    virtual [name of APM VIP]
}
when HTTP_RESPONSE {
    HTTP::header insert Strict-Transport-Security "max-age=31708800"
}

I should probably also clarify a "layered" VIP. This is where you put one VIP in front of another. The "external" VIP would have your publicly routable IP:port, a SNAT profile, an HTTP profile, and a client SSL profile if this is HTTPS traffic. The virtual command would send the decrypted traffic to an internal unencrypted VIP (in this case your APM VIP) that uses an internal, no-routable destination IP:port.

Thanks Kevin. I suspect that the added complexity in fixing it is not worth it, given this would largely affect users who've never succeeded in completing authentication. Just wanted to make sure it wasn't some other property of the configuration causing it to break.

Although wonder if it could be added to the config in the way the pages are served. Probably time for HSTS to be a checkbox, and ttl, that does the 'right thing' everywhere, rather than a manual bolt on using iRules.

Sounds like a good idea for a feature request.