The only thing you'd ever need to purchase would be "issued" certificates: client and/or server certificates. The certificate authority (CA) that issued that certificate will always provide its public cert for free, as this is needed to validate the trust one entity has of another entity - by virtue of explicit trust of the issuer.
As you're probably aware, an "intermediate" certificate is a CA cert that is itself issued by another, higher level, CA. So you can several levels of issuing CAs from the "root" CA all the way down to the issued server or client cert. Example:
root CA -> intermediate CA -> intermediate CA -> client cert
In order to validate a trust of a presented client cert, a server must be able to 1) build the above chain from the cert's issuer, to that cert's issuer, to the root CA, and 2) have some level of pre-established explicit trust with all or some of these CAs. In the BIG-IP's case, you must explicitly build that complete chain, so you need all of the CA certs in the path. Your best bet for retrieving those certs is first to determine what they are by observing the issuer field of the client or server cert, then going to that vendor for the CA's public certificate, and then repeat that process until you get to the self-signed root.