Hi DC,
You will need to grep for the access logs while testing this application. What your looking for are requests made by the application which are being blocked by your access policies hence the 403 that your already seeing in the access logs. Once you have determined the URLs being requested by the application add those URLs to a custom URL category: WSA GUI -> Web Security Manager -> Custom URL Category -> submit -> commit your changes. You will also need to add this custom URL category to a No Authentication Access / Identity which will also contain a No Authentication Identity. Usually in this scenario you will already have a default No Auth Identity based on your class of network A,B,C created with a Custom URL Category already directly associated to that identity. This type of Access Policy , Identity, Custom URL Category is designed for applications , Operating system updates etc...
Erik
Sincerely,
Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator