The only reason you'd need a Verisign intermediate CA is if you want to be able to hit the vast majority of clients as configured out-of-the-box, without your certs pushed by group policy or whatever. Nobody involved seems to have a remotely good explanation of why Bluecoat has one; or what legitimate purposes it could possibly serve that couldn't be served by a vastly less dangerous toy.
The reason is simple: most customers of these devices prefer to implement them in transparent proxy mode, which requires no endpoint device (browser, etc.) configuration, no pushing of internal certs, etc. Browsers are talking on 80/443 happily unaware that their traffic is being proxied, and the SSL server certs being presented by Google or Facebook or their bank are not actually certs from those servers...they're Blue Coat's imposter certificates, generated on-demand.