Ok this is what I can gather so far:
Decrypt for Authentication: For users who have not been authenticated prior to this HTTPS transaction, allow decryption for authentication. If the user has not been authenticated prior to the HTTPS transaction, the client HTTPS request will be denied if this decrypt for authentication option is not enabled.
Decrypt for End-User Notification: You can configure the Cisco WSA to notify the user why it blocked the URL request. Web users see a webpage that explains that they were blocked from accessing a website and why they were blocked. These pages are called end-user notification pages. The End-User Notification is configured Security Services > End-User Notification page. You can define notification pages using the on-box end-user notification pages or outside the Cisco WSA by redirecting all notification pages to a custom HTTP or HTTPS URL you specify. When using an outside HTTPS URL, allow decryption so that the Cisco WSA can display the end-user notification.
Decrypt for End-User Acknowledgement: You can configure the Cisco WSA to inform users that it is filtering and monitoring their web activity. The Cisco WSA does this by displaying an end-user acknowledgement page when a user first accesses a browser after a certain period of time. When the end-user acknowledgement page appears, users must click a link to access the original site requested or any other website. The End-User Acknowledgeme is configured under the Security Services > End-User Notification page. To keep track of when users accepted the end-user acknowledgementpage, the Cisco WSA can use a surrogate (either by IP address or web browser session cookie) if no username is available for the user. If the Cisco WSA tracks whether the user has acknowledged the end-user acknowledgement page with a cookie, the Cisco WSA cannot obtain the cookie unless it decrypts the transaction. For users who have not acknowledged the Cisco WSA prior to this HTTPS transaction, allow decryption so that AsyncOS can display the end-user acknowledgement. If the user has not acknowledged the Cisco WSA prior to the HTTPS transaction, the end-user acknowledgement page cannot be displayed with decryption and the client HTTPS request will be denied.
Decrypt for Application Detection: Enhances the ability of AsyncOS to detect HTTPS applications. The HTTPS Proxy can decrypt HTTPS connections to web applications. This allows the AVC engine to more accurately detect and block web applications that use HTTPS. These web applications may use web browsers or other client applications, such as instant messaging applications.