Good day,
I was a bit thrown off by the tmm --clientciphers output and didn't realize this is actually for the UI. Oops. So two things to consider so far:
1) You definitely would need to add TLSv1_1 to block tls1.1 using a client ssl profile.
2) It isn't apparent from my research why -TLSv1 blocks tlsv1 and tlsv1.1 in httpd (apache).
Adding -TLSv1.1 doesn't seem to affect anything in 11.x, but 10.x can't accept that option.
Does this help? I believe there's an anomaly here, though tested to work and tls1.1 isn't affected by beast, so this seems to simply be a question of "why does this work this way" and there doesn't as of yet seem an obvious answer.
If something comes up, I'll let you know.
Thank you,
Kevin