With clientless SSL VPN, they won't be able to.
But with AnyConnect SSL VPN full tunnel, yes, they can. You can configure no split tunnel (ie: tunnel all traffic back to the corporate) and use the company internal proxy server to send the web traffic towards ScanSafe.
However, if they use untrusted machine on the internet cafe, typically they wouldn't have access to install any application to the machine. So installing the AnyConnect SSL VPN client might not an option.
In any case, user sitting on the internet cafe normally will be browsing out the Internet, not your company resources, so we don't really care if the internet kiosk machine is infected. In any case, it would have been infected anyway since it is not protected from the beginning. You would only want to protect company resources, not internet kiosk machine.
Further to that, internet kiosk machine as you advise is already untrusted, and if you create an SSL tunnel back to your organization, that would only infect your company resources as ScanSafe only scans Internet web traffic. Anything directed towards the company resources will not be scanned as it won't be reachable from Scansafe cloud, and anything non web traffic will also not be protected. So essentially, you really don't want user to be using internet kiosk machine to be connecting to your company resources.