The description of your issue is confusing and better edit your question with precise description of the issue.
For the ASM VIP to APM VIP you use Layered VS (https://support.f5.com/csp/article/K54217479) ?
You can also configure the ASM to protect the APM login page, so no one can can click other pages if they have not passed the login page:
https://support.f5.com/csp/article/K13315545
I think that you can use the Per-Request policy to force again a login.
Better review your multy domain config if you think that there are issues as you need to be carefull with profile scope (https://devcentral.f5.com/s/question/0D51T00006j20Ce/v12-apm-profile-scope):
https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-1-0/27.html
https://clouddocs.f5.com/training/community/iam/html/archived/class7/module1/lab7.html
For to clear APM session with iRule use "ACCESS::session remove"
https://clouddocs.f5.com/api/irules/ACCESS__session.html