The application is running on an application server (WebLogic) that is behind a web server (Sun One), both of which are attempting to set the header.
The problem we are having is that even though pages are protected by SSL the "cache-control: no-cache" HTTP header is not being set so firefox and IE7 are caching the pages. We absolutely do not want caching to happen for these pages.
In my development environment - where there is not F5 LB - even though the application is trying to set the header I had to change the web server config so that the header was being set. I assumed that since the browser is talking to the F5, even though both the web and app servers are attempting to set the header, only the F5 can actually do so.