I've setup a GTM and the SSL VPN using Topology as a Load Balancing Option, have that working perfect. However, I have not tried to add into that the 2nd layer of load balancing.
You might look into the Limit Settings for devices, such as Current Connections, that might help you out. Otherwise you could add a health monitor to the GTM which would monitor the connections and return a "signal" if your at your limit thus marking that instance down. However, if you mark that instance down your current clients will be moved to a different instance when they preform a new DNS lookup (which could be frequent depending on the TTL for that WIP).
Thanks,
Kevin