I don't know if TMG and deal with an upstream proxy, but presumably, the TMG would auth the user, then the request would be handled by the WSA, and you wouldn't require the TMG to auth to the WSA...
I do know that the WSA can be configured to use an upstream proxy, from the menu Network>Upstream Proxy. In that case, have the users auth to the WSA and then have the TMG trust any connections from the WSA...
Trying to do auth on both just sounds like you're looking for a world of complications...