I would expect the Bluecoat to send an X-Authenticated-User and an X-Client-IP header. These headers should cause MWG to replace the source IP address to the IP of the client and insert the correct username. Can you verify with a packet capture that both headers are present in the ICAP communication from BC to MWG?
If i remember correctly, sometimes BC will pre-fetch content before a user requests it without having a username or ip address associated with the user.
You could be seeing the results of this.