I have just had a requirement passed to me.
We have a CSS running a single VIP as far as this is concerned. A single SSL- proxy list but two services running behind that.
That is two content rules, one a layer 4, the other a layer 5. We want to restribct access to the later 5 rule to certain users.
As we are using the same SSL, and only splitting out between the two apps after we have decrypted the SSL I don't think the use of client ertificates will help, nor will access lists as they are on the same IP address.
You can use an acl like :
clause 10 deny any 220.127.116.11 destination content gdufour/SSL2
As you can see, you can specify the content rule - and not the destination ip.
I haven't tested, but it may work.