For the Cloud SWG service to return the exception ("Access Denied") page for SSL content, it must return an HTTPS page that is encrypted with the Cloud SWG SSL Interception certificate:
"Cloud Services Root CA"
Distribute the "Cloud Services Root CA" certificate to all endpoints (even when SSL Interception is disabled).