Shoot. Sorry I misunderstood the internal writeup on this. Instead of not escaping itself it looks like it expects *you* to escape it manually. Can you try setting it to "\66\69\65\6C\64\3D\2A"? That should be "field=*".
You're going to have to double-escape them inside the iRule or policy agent config. TCL gets weird with escaping sometimes. The example I've got from bigip.conf where the variable is being set from a var-assign policy agent to "medusademo" to formulate a search filter is:
If it doesn't work at first, packet capture a plaintext LDAP query so you can see what it's sending on the wire, the escaping might not be exactly right.