I'm trying to determine this as well, did you by chance get clarification on what the "unresolvable" represents?
In my quick testing, "unresolvable" was returned when I disabled blocking of "self-signed" certs (as an example).
So I would guess that this means the Web Gateway was not able to determine if the certificate was valid. A self-signed certificate, a unknown root ca, or incomplete path could be one of the reasons for seeing this.
In this thread, I created a ruleset which logs all blocks recorded by SSL scanner:
This was then turned into a ruleset in the online ruleset library:
You could log these incidents then perhaps correlate them to the spikes if you wanted.