California OVR sessions fail in Production

[jlev]

CA registration forms submit correctly using the Charles HTTPS Proxy using TLSv1.2 with the TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 cipher over http/1.1

But in local testing on Mac OS X and in production on Heroku the same exact requests fail, with the CAOVR side redirecting back to the form start instead of the second step.

I have found slight differences in the X-Iinfo headers returned by the Incapsula CDN:
working:
X-Iinfo': '3-21072469-21072487 SNNN RT(1522442321719 325) q(0 0 0 0) r(1 1) U6

failed:
X-Iinfo': '4-30959012-30959013 SNNN RT(1522442261045 140) q(0 0 0 0) r(0 0) U6

The first field appears to be a UID, and the third is a timestamp The r(x x) field may be a clue, but I am not sure what it represents.