@dugite-code and @Troon: I believe the issues you ran into recently were caused by a brief misconfiguration this afternoon, now fixed.
@mholt: One possible cause of your issue: Right now, Boulder may take up to a second to sign the first OCSP response after signing a certificate. [Edit Dec 2019: Boulder now signs OCSP and writes it to the DB before returning the cert, but in typically-rare conditions of replication lag you might see similar symptoms]. If your code is fetching the OCSP response in that first second, it may get an unauthorized response, which is then cached by Akamai. There are a couple of fixes: In the short term, we’ll fix caching headers on unauthorized responses. In the long term, we plan to switch to the asynchronous certificate issuance specified in the ACME protocol, so that returning the certificate to the client will block on the first OCSP generation. As a workaround in the meantime, I would suggest waiting for a second or two after issuance before requesting the OCSP response for stapling, being tolerant to failures, and retrying periodically.