Take a look at how your setup is encoding the “,” character that separates each ID or screen name.
You should encode it as “%2C” and by the time it gets to the OAuth signature base string it should be encoded once again, resulting in “%252C”
Some OAuth and HTTP libraries handle this normalization for you, some do not, and some might even do it half-way.
