Thank you for clarifying. The error is usually the result of one of the below:
1. The username or password is incorrect
2. You are not authenticating against the correct identity provider.
3. Your account has been disabled/locked out
Do you see any errors in the SSG log on the Gateway when authenticating this user?
Is this user able to login to policy manager?
Just to confirm OTK is working correctly, can you test with a resource owner that does not have a "+" as part of the user name? The expect response will be an access token:
i.e:
{ "access_token":"ffe4a4ea7-3aa4-442b-bb75-eae3721ab183", "token_type":"Bearer", "expires_in":3600, "scope":"oob" }
Regards,
Joe