DirectAccess 2012 OTP and Force Tunneling

Recently I worked with a customer in a project to get DirectAccess 2012 up and running in a POC environment. The customer wished to use RSA as an OTP provider in the setup. One another request was to use Force Tunneling for their clients for different reasons.

Force Tunneling introduces some drawbacks in the setup as you might well know, one being that only IP-HTTPS can be used. There are other implications as well but one, previously unknown to me, was that Force Tunneling and OTP does not play well (or at all actually) together.
This was pointed out to us after performing some debugging together with Microsoft support.

I just found this document regarding this issue and other non-working and unsupported configurations