Description:
Even though user's session is in the WebAgent cache, user is validated by the Policy Server and not by the WebAgent cache.
Solution:
The session cache has timeout of 3600 seconds i.e. 1 hour and entries are marked expired if they are there for than 1 hour in the session cache. So once an entry is created in session cache, the auth/az request for that entry if done before 1 hour is served from session cache whereas after 1 hour it is served from policy server.