Identify and cleanse expired and soon to expire certs from BIG-IP

so what you are proposing is that when the script encounters a profile that is associated with an expired cert AND the virtual server has a server SSL profile, it would remove both the clientssl and serverssl profile and the hope would be that clients who connect would accept whatever cert the back-end server is offering?

I'm curious; how did your BIG-IP get to a state where there are numerous clientssl profiles that point to expired certs? Seems to me that not long after the cert expires, you'd get user reports complaining about expired cert and then you'd fix it, such that few BIG-IPs that are actively used will have expired certs attached to clientssl profiles attached to active virtual servers.