We're running CA Access Gateway (SPS) to protect Identity Portal, and
once user gets authenitcated, user gets "Unauthorized Access" and
cannot access the web site.

Release: MSPSSO99000-12.8-Single Sign-On-for Business Users-MSP
Component:

CA Access Gateway (SPS) produces the headers, but send the request to
the backend server in http. Then the backend server does a redirect to
the CA Access Gateway (SPS) and this one send back the request to
https.

By the redirect, the headers won't be sent again, and this is why you 
don't see them on the test header page. 

You've configured the proxyrules.xml to send the request to https, but 
then the CA Access Gateway (SPS) doesn't handle the request properly 
and return an error. 
 

In order for the CA Access Gateway (SPS) to be able to handle backend 
server connection in SSL you need to configure it to do so. 

Configure Client Certificate Authentication 
https://docops.ca.com/ca-single-sign-on/12-7/en/configuring/ca-access-gateway-configuration/configuring-ssl-for-ca-access-gateway/configuring-ssl-on-httpclient-noodle-manually