A Update to the accepted solution:
This was, in fact, fixed by a call to TAC. In the end, it turns out that since we use Barracuda Mail Filtering with Cloud Protection Layer (CPL), the emails to the sponsor with the link to approve the requestor were being 'detonated' in the URL sandbox at the protection layer. All inbound emails with these services actually explode any URL to inspect it to see if it is safe before passing the email to the recipient. In effect, CPL was "clicking the approval link," seeing that it was an ok website, and then passing the email to the sponsor. This, in effect, approved the access via the click.
Hope that save someone else some trouble.
Mark