The policy rule for the 'Password Override' verdict is being matched but there is another global rule that determines if it is possible to return the password override redirect.
Blue Coat uses a 302 redirect to provide the password override form. If the content type in the response is text/html, then it returns a 302. If the content type is application/x-shockwave-flash, then the 302 will not be returned.
The requirements for password override to work is that the application must be able to follow redirects and set cookies.