I don’t see any reasons why that would not work. Clients are somewhat unaware of the responding UAG, as from their point of view they just connect to the public VIP on the SLB, the same that the hostname resolves to.
All the network address translations happening behind the SLB on the path are never exposed to clients. And you don’t need to worry about connection servers or their certificates. All TLS is proxied on the UAG, i.e. UAG creates an another TLS session against connection server not passthroughing the existing one.