Hi,
OK. Got it.
No, with this setup, no need for C3D, but the thing is when you try to log result in CLIENTSSL_CLIENTCERT event, this only takes into account what is in the CLIENTSSL profile. So if the certificate is valid in terms of certificate chain, it will always return OK. The Auth profile is not considered in this event. So it's slightly more complex to do this check like this.
Step 1 : check the SSL Cert by the CLIENTSSL profile
Step 2: check the OCSP
Step 3: finalise SSL handshake.
There is an OLD irule that showed how to do this, that you could use as starting point.
https://devcentral.f5.com/s/articles/client-cert-request-by-uri-with-ocsp-checking
But it seems that a bit of work will be required to make in work in recent versions of BigIP. If I find a bit of spare time I may try to do it, but not garanteed :-)
Yoann