"Thus the users only need to install the original Cyberoam certificate in the browser's trust store"
Note that if users do this (and I won't be surprised if they're encouraged to) then you've fixed nothing and the Tor project's advisory was futile.
Here's the LWN scenario:
Bob Smith works at Allied Universal Inc.
Allied Universal Inc. uses Cyberoam DPI
Bob's laptop is set up to trust the original Cyberoam CA
The Allied Universal Inc, DPI generates intermediate CA #38319
Cyberoam sign CA #38319 with the original Cyberoam CA
When Bob's at work, his access to MegaBank goes via the DPI, which provides him with an SSL cert signed by #38319, his browser chains from that to the original Cyberoam CA and considers all is well.
Here's why that doesn't fix anything:
Craig Acker is a professional criminal
Craig buys a Cyberoam DPI through a front company
Craig's DPI generates intermediate CA #40216
Cyberoam sign CA #40216 with the original Cyberoam CA
Craig breaks open the DPI and steals the SSL CA keys and puts them into his custom sniffing and session stealing tool
Craig wires up the tool to a high power WiFi transceiver near Bob's house
Bob brings his work laptop home. He accesses MegaBank
The access to MegaBank comes with SSL cert signed by #40216 which chains back to the original Cyberoam CA and everything looks fine
Craig steals Bob's session and transfers $15M of Allied Universal cash to the account of an unwitting accomplice in Paris, who forwards it on. All records will show that Bob performed the transaction. When Allied Universal tell MegaBank that actually Bob had a third party Cyberoam CA installed at their insistence, the bank will declare Allied Universal negligent, as well it should, and they'll be out of pocket by $15M although probably they'll fire Bob to make themselves feel better. There is no trace of Craig anywhere unless the bank can chase the $15M which they may be disinclined to do since they've successfully identified customer negligence as the real cause.