This is something I've been meaning to build on, see a similar post here:
So if I am reading your setup, you have WCCP going over 9090, and poxy users over 9091?
You want both types of users to use NTLM authentication, and if they fail, it will fall back to x509 time based auth?
We have WCCP clients but they are currently still using a WW 6.9.2. We have NTLM authenticated clients using 9090 via a proxy.pac file. We have IOS devices also using 9090 via a proxy.pac file and they are having to reauthenticate after their cached IP clears. We wanted to test using x509 for those clients to authenticate with. I understood that you could setup a different proxy.pac for them and set authentication on that port to x509. I was looking for some guidance on setting that up.