A combined Admin Console and IDP behind a SLES 11 server running the Access Gateway Service
The F5 BigIP was mis-configured. As the following options were selected in error, the correct configuration of these items (that is, unchecking them) resolved the issue:
When the BIG-IP system performs renegotiation as an SSL server, this option always starts a new session (that is, session resumption requests are only accepted in the initial handshake). The system ignores this option for server-side SSL processing.
This option disables a countermeasure against a SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers. These ciphers cannot be handled by certain broken SSL implementations. This option has no effect for connections using other ciphers. This is the default value for the Enabled Options list.