You have two options
1. (As you mentioned) Donot offload ssl on CSS and send the traffic to Server directly for ssl offload. Shortcoming of this method is that you cannot use HTTP headers for making Intelligent LB decisions
You simply need a content rule listening on TCP 443. For e.g
content apps-443
add service svc1
add service svc2
vip address 192.168.1.1
protocol tcp
port 443
active
service svc1
ip address 10.10.10.1
port 443
protocol tcp
keepalive type tcp
keepalive port 443
active
service svc2
ip address 10.10.10.2
port 443
protocol tcp
keepalive type tcp
keepalive port 443
active
2. Do end2end SSL. Where you will have to install cert on CSS, offload ssl on css, make LB decision based on Layer7 headers, encrypt the http request again and send it to the server as encrypted request (Server will do the SSL offloading again).
HTH
Syed Iftekhar Ahmed