The ProxySG or Advanced Secure Gateway (ASG) will set a cookie in the form "BCSI-CS-XXXXXXXXXX".

The ProxySG and the ASG use this cookie to determine the authentication disposition of a client. The CS in the header stands for "Challenge State".

If the ProxySG or the ASG requires authentication and an upstream proxy or webserver also requires authentication the ProxySG or ASG needs some way to know if the client credentials are meant for it or for an upstream server. If an upstream server challenges for credentials, then the ProxySG sets the BCSI-CS cookie so that it knows it should forward the credentials upstream. 

If the ProxySG or ASG isn't sure what to do with the credentials (i.e. when there are credentials in a request without a BCSI-CS cookie), then the ProxySG or ASG won't forward credentials upstream. This is to avoid leaking enterprise credentials to an external server in most cases. Leaking credentials would be a serious security risk, especially when Basic credentials were used.