It's possible that your problem is exacerbated by Akamai here - they use a form of oneconnect as well, assuming you're setup that way. A /32 bit oneconnect mask (255.255.255.255) ensures that each client gets their own socket - it will not be re-used by other clients. This implies that something upstream is multiplexing as well, representing multiple clients as one source.
The scenario where you really need oneconnect has to do with upstream proxies, which you most definitely have here. I would test with/without it so you can characterize the behaviors in your environment.
-Matt