Just to let people know who might be trying to find out:

Mobility Pack seems to work fine as a domain-based multihomed protected
resource behind Access Manager. This was part of a reverse proxy that
forces SSL using a externally signed wildcard certificate
We set this up with no Authentication or anything. Pointed Access Manager
at port 443 of the Mobility Server and told it to accept any cert for this.
Single resource path defined for /
For safety I turned off all rewriting on this proxy too. Not tested whether
this was necessary
Pointed internal and external DNS at the LAG address using same FQDN.

Mobility Pack was set up with self-signed cert: the mobile devices never see
this, just the common externally signed one. This avoids scrabbling round
for another valid internet address, firewall ports and a separate