Ok, I was completely wrong. The issue was not happening after they return to the site from Twitter. It was not sending the callback out at all because our callback URI was set to http instead of https. Weird thing is that it had been that way for a long time, and it still worked, but sometime in July it stopped working. When I changed our oauth config file to set the callback URI to https, problem was resolved.
Mind you, I also had to correct the whitelisted URL via the developer.twitter.com dashboard, where I was also able to remove the not needed second callback URL (which dev.twitter.com was requiring).
Thanks everyone for your assistance.
Sam
