We're investigating some issues some clients and service providers are having with OAuth Echo on iOS5. If you could assist us by evaluating your services exact logic when it comes to processing an incoming OAuth Echo request.
One difference now is that iOS may add an application_id parameter to the query string of the URL to specified in X-Auth-Service-Provider when calculating its signature base string. Some clients may not be recognizing that this parameter has been added and then neglecting to place it on the URL specified in X-Auth-Service-Provider.
Some service providers may be then in turn requesting data not from either A) the exact URL specified in X-Auth-Service-Provider (including application_id when it is present) or B) what it assumes the URL should be (a hard-coded URL to Twitter's verify credentials method).
As you can see, the issues can be both on the client side as well as the service provider side, and you may be experiencing different aspects of the issue depending on the client that's making requests through you.
Can you share exactly how your OAuth Echo requests are interpreted/processed/handled?