I'm guessing that this matcher doesn't work on SYN and ACK packets, but instead it inspects the first content packets. The destination and source address are as determined without this matcher. And on a match, it terminates the original connection between router and server, and creates a new one to the new destination using the new source (as determined by rules including the matcher).
To the client, nothing would appear out of the ordinary, as long as the server at the final destination has the correct certificate. The final destination server would also not notice anything different. The original destination server would notice a TCP connection that gets immediately terminated, before the first packet from the client.
(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)