Just confirmed my own theory, i.e. that the second CONNECT isn't part of the protocol and isn't sent by other HTTPS clients. Requesting the same HTTPS server with Internet Explorer and watching the HTTP traffic with Etherial I only see one CONNECT, the first one to the specified remote server.
So it does seem like one of the underlying modules that LWP::UserAgent uses to connect to HTTPS websites is doing something out of the ordinary.
I'll try cutting LWP::UserAgent out of the loop and gradually getting more low-level until I find the point it's going wrong, but if anyone has any suggestions as to where I might start looking that would be great!