Ok, so after lunch didn't pan out. However, what I'm not seeing is any provisions in your CachedHttpClient to deal with the Vary header you suggested using. If I add Vary: Cookie I would expect that the CachedHttpClient would be taking this into account when adding an entry to the cache. But from what I can tell it's only using the url as the cache key - which doesn't work if you want to vary it based on anything (cookie, accept, etc).
Not the Cached Clients doesn't support Vary yet but browsers do. You can just clear the cache when you logging in another user: