According to Cisco best practice we enabled user authentication caching surrogates on our WSA's based on IP addresses. This doesn't work for user that browse the Internet from a Citrix or Direct Access session as multiple users are using the same IP address in this case. According to the manual you should be able to use session cookies but this disables caching for HTTPS sessions.
And since 90% of our Internet traffic is HTTPS this effectively disabled authentication caching.
Anyone has experience with this?