Is it permissible for an intermediate proxy to add cookies during proxy authentication?
HTTP cookies are a hot mess. There is no real standard; the RFC, for what it's worth, merely attempts to document what actual user agents are doing.
In any case, the RFC you probably want to read is RFC 7235, which specifies that proxies are supposed to send a Proxy-Authenticate header with the 407 status to request authentication information, and user agents receiving this are supposed to retry the request with a Proxy-Authorization header containing the authentication information for the proxy.
A number of challenge/response methods could be used to supply this information; the most widely used being "basic" (RFC 7617) as pretty much everything that speaks HTTP implements it.
The IANA maintains a registry of known HTTP authentication schemes. As a general rule they use the HTTP headers named previously, or they are noted to be noncompliant. None use cookies for authentication.
Whether it's allowed for a proxy to add or change cookies, I can't say. The RFCs really don't seem to be very clear on this point. It's certainly unexpected behavior, especially for authentication. And BlueCoat has a long history of being mediocre in quality...