Well I managed to get around the issue by deploying additional Access Points just for Identity Manager, I don't think it plays well trying to use a single Access Point for both View and Identity Manager.
Here is what I ended up using and so far so good and remember the admin functions won't work externally!
{
"identifier": "WEB_REVERSE_PROXY",
"enabled": true,
"proxyDestinationUrl": "https://workspace.example.com:443",
"healthCheckUrl": "/favicon.ico",
"proxyPattern": "/|/SAAS(.*)|/hc(.*)|/web(.*)|/catalog-portal(.*)",
"unSecurePattern": "/catalog-portal(.*)|/|/SAAS/|/SAAS|/SAAS/API/1.0/GET/image(.*)|/SAAS/horizon/css(.*)|/SAAS/horizon/angular(.*)|/SAAS/horizon/js(.*)|/SAAS/horizon/js-lib(.*)|/SAAS/auth/login(.*)|/SAAS/jersey/manager/api/branding|/SAAS/horizon/images/(.*)|/SAAS/jersey/manager/api/images/(.*)|/hc/(.*)/authenticate/(.*)|/hc/static/(.*)|/SAAS/auth/saml/response|/SAAS/auth/authenticatedUserDispatcher|/web(.*)|/SAAS/apps/|/SAAS/horizon/portal/(.*)|/SAAS/horizon/fonts(.*)|/SAAS/API/1.0/POST/sso(.*)|/SAAS/API/1.0/REST/system/info(.*)|/SAAS/API/1.0/REST/auth/cert(.*)|/SAAS/API/1.0/REST/oauth2/activate(.*)|/SAAS/API/1.0/GET/user/devices/register(.*)|/SAAS/API/1.0/oauth2/token(.*)|/SAAS/API/1.0/REST/oauth2/session(.*)|/SAAS/API/1.0/REST/user/resources(.*)|/hc/t/(.*)/(.*)/authenticate(.*)|/SAAS/API/1.0/REST/auth/logout(.*)|/SAAS/auth/saml/response(.*)|/SAAS/(.*)/(.*)auth/login(.*)|/SAAS/API/1.0/GET/apps/launch(.*)|/SAAS/API/1.0/REST/user/applications(.*)|/SAAS/auth/federation/sso(.*)|/SAAS/auth/oauth2/authorize(.*)|/hc/prepareSaml/failure(.*)|/SAAS/auth/oauthtoken(.*)|/SAAS/API/1.0/GET/metadata/idp.xml|/SAAS/auth/saml/artifact/resolve(.*)|/hc/(.*)/authAdapter(.*)|/hc/authenticate/(.*)|/SAAS/auth/logout|/SAAS/common.js|/SAAS/auth/launchInput(.*)|/SAAS/launchUsersApplication.do(.*)|/hc/API/1.0/REST/thinapp/download(.*)|/hc/t/(.*)/(.*)/logout(.*)",
"authCookie": "HZN",
"loginRedirectURL": "/SAAS/auth/login?dest=%s"
}
{
"locale": "en_US",
"adminPassword": "*****",
"cipherSuites": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA",
"honorCipherOrder": false,
"ssl30Enabled": false,
"tls10Enabled": false,
"tls11Enabled": true,
"tls12Enabled": true,
"healthCheckUrl": "/favicon.ico",
"cookiesToBeCached": "none",
"ipMode": "STATICV4",
"sessionTimeout": 36000000,
"quiesceMode": false,
"monitorInterval": 60
}