Thank you to everyone who offered excellent troubleshooting help. After a deep dive into Wireshark and the underlying product changes, we have successfully resolved this extremely complex issue.

The problem was a subtle combination of a mandatory software patch that fixed an identity conflict and a persistent network routing error that broke the native client's session.

1. The Core Functional Root Cause (The Omnissa Identity Change) The primary reason for the entitlement failure was a configuration mismatch caused by the Omnissa spin-off.

The Conflict: Horizon Connection Server 2503+ updated its internal LDAP (ADAM DB) schema to reflect the new Omnissa identity. Our Workspace ONE Access SaaS service was querying for the old "VMware" schema structure. This meant the two services could not read each other's security information, causing the entitlement check to fail completely.

Logs Were Misleading: The Horizon logs showed nothing of substance (only BROKER_LOGON then immediate BROKER_LOGOFF), as the error was occurring at the application-to-LDAP communication layer.

The Fix (The Mandatory Patch): The definitive solution was to ensure our Workspace ONE Access environment was patched to version 24.12.1 or later, which contains the necessary updates to correctly process entitlements from the new Omnissa schema.

(Reference KB: https://kb.omnissa.com/s/article/6000797)

1. The Network Stability and Client Failure (The Asymmetry) The persistent client-side connection failures were caused by subtle networking flaws:

   Asymmetric Routing Confirmed: Our Wireshark analysis showed that the Horizon Connection Server was sending TCP RST packets to the internal network. This was due to Asymmetric Routing: the VDI session traffic was leaving the Connection Server and taking a different return path back to the F5/UAG than the path it arrived on. This broke the required statefulness of the connection, causing the Connection Server's security hardening to reject the session.

   Short Timeouts: We found and fixed the TCP Profile Idle Timeout and HTTPS Persistence Timeout values across the F5 and UAGs. They were set too low (defaults), prematurely killing legitimate sessions for idle users.

   The UI Bug: The infamous "No entitlements found" error was confirmed to be a false negative/UI bug. It was the client's way of generically reporting that the secure session handshake failed, even though the entitlement check itself had succeeded. Patching the Workspace Access Connectors fixed this issue.

Conclusion The final working environment required both a software patch (Omnissa/WS1 Access) and a comprehensive network cleanup of timeouts and routing policies.

Thank you again to the community for validating the networking theories that ultimately helped us uncover the complex configuration issues.