Expected, using libcap is more secure but not more powerful. Essentially it enables the traffic_manager and traffic_server processes to completely drop root access and still work. Without it they retain the ability to restore super user status because otherwise they cannot perform restricted operations (such as bind to a reserved port).
The only thing I can suggest at this point is to enable "lm" debug tags - those might provide some further insight. When a reserved port is bound without libcap (which is normally done in the traffic_manager process) it has to reset the euid to 0 and possibly that is failing because of VZ.
