403 Client Error: Forbidden error returned when trying to connect to yammer OAuth from an application.

my primary goal: within my custom application, i'd like to use yammer oauth to authenticate users of an external network (as i could find no direct method to accomplish this, i've created a work around documented here).

my scenario is as follows: we have a primary network and an external network (going to refer to these as the 'beta networks'), which i have created for the purposes of beta testing a python based application. as a yammer network administrator, i've registered a client application with yammer (here), i believe on the primary network. using the resulting client secret and key, i can successfully connect my (python) application and allow users of the external network to OAuth with no problems.

for production, a second network setup exists, again consisting of an SSO enabled primary network and a (non-SSO) external network (going to refer to these as the 'production networks'). again, a client application has been registered with the primary network on the production networks. however, when i update my (python) application to use the production networks client secret/key, all attempts to oauth with an external user result in 403 Client Error: Forbidden.

on both the beta networks and production networks, the client app resistrations:

• are marked 'enabled',
• are 'published' to the yammer network (though neither are 'global').

the only difference between the beta and production networks that i know of is that production is SSO enabled. does this preclude using the oauth2 authentication process? is there some other setting required because of SSO?

thanks for any help.