When a customer uses "Customer Hosted CA" mode to sign the proxy certificates and if the CA is an intermediate CA, the certficate chain must also be uploaded to the portal so that the Akamai server-side SteelHead (ACSH) will include the necessary certificate chain during the SSL handshake.
For example, consider the following signing hierachy:
*.sharepoint.com > signed by "Intermediate CA-1" > signed by "Intermediate CA-2" > signed by Root CA