It sounds like a permission issue possibly on the IIS side. Do you have a packages directory you use to push out software? Create that citrix package using UNC with a distribution package and see if you get the same error. If it works, look over your IIS permission of the Patch directory
Just an example
If you follow the steps HERE - How to enable Xtrace Diagnostic Logging - that'll let you know how to enable max verbosity on logging (check the bottom comments for a copy'able .REG file in effect).
That'll give you (or our support) a better idea as to what's actually going on, as the downloader bits will be a LOT more chatty.
Checking the IIS side of things as per the above comment would be quite useful too - first to make sure THAT the client is downloading the file from IIS (could be that he's downloading a corrupted/broken file from a peer for instance & failing upon the local hash check).
If you want to help control the download side of things by hand easily, check out this article as well -- How to use PEDownloader.exe to Duplicate / Troubleshoot Software Distribution .
Finally, the following are also helpful:
Hope that helps.
(And yes, that may SEEM like a bit overkill, but it helps you to understand what logs/binaries do what - helps you paint a much fuller picture) .