I think MAX_STAPLING_DER should be removed.
The DER copy in stapling_get_cached_response looks strange; can d2i_OCSP_RESPONSE just use the DER response in ghee certinfo struct?
I don't know about the blocking select loop to hit the responders. We can land the change with that, but would you be able to look into using the ATS core HTTP APIs to fetch the responses?
proxy.config.ssl.stapling.update_period isn't really a check periodicity, it's a sleep period between checks. To implement an update period, you could schedule_every, using a lock to make sure that you don't get concurrent updates. This also saves another background thread.
All functions that return 1 or 0 should be declared bool.