A client (e.g. browser) is using a unique or self-sign certificate (client certificate) to authenticate against an origin content server (OCS).
The user is not able to access the site when the WSS Agent is enabled.
The user is able to access the site when the WSS Agent is disabled.
Web Security Service
The issue was caused by the proxy SSL intercepting the traffic and breaking the private chain of trust between the client and OCS.
While the SSL proxy is configured to forward the information about the Client Certificate to the OCS. In some cases, it is required to do an SSL exemption to allow all traffic going to the OCS, so the WSS proxy does not interact with it, thereby allowing the Client Certificate to be processed.
Add the domain/IP to your SSL Exemption list
Universal Policy Enforcement (UPE)
If you are using Universal Policy Enforcement, the Management Center administrator will need to update their current SSL interception policy and push the new exemption to the WSS enforcement domain.