Q: Regarding Mobile SSO for iOS, I'm aware that it uses a built-in KDC on VIDM so do I also need to do TCP/UDP port forwarding for port 88?
A: Yes, port forwarding required.
Q: What can I put as the realm?
A: KDC realm is initiated when initializing the KDC on the vIDM. Often the AD or DNS domain name is used as realm , but this is not required.
Make it recognizable. Realm is set in Upper case.
Q: do I need to create a public DNS record that points to our VIDM LB so that the iOS clients are able to find the KDC?
A: Yes, more here: Using the Built-in KDC .....KDC requires special syntax DNS SRV records, see example in linked page.
Q: We will also install UAG for intranet browsing purposes, can this be used as a Reverse Proxy to reach the VIDM servers - any documentation on that?
A: yes, UAG can be reverse proxy for vIDM.
more here: Unified Access Gateway Landing Page and https://docs.vmware.com/en/Unified-Access-Gateway/3.2/uag-32-deploy-config-guide.pdf