This is actually not an OAuth 2 issue at all. The "token" in question is a Shindig-style gadgets.rpc "rpctoken," and the reason you're seeing a mismatch is most likely that a previously-uncached iframe is now being cached and the JavaScript inside the iframe is not properly reinitializing gadgets.rpc on hashchange events. This can occur for a few reasons but often is the result of bfcache browser behavior. We've typically gotten around this when rendering gadgets (or [i]frames) by setting src to about:blank, then changing the URL to whatever is intended. YMMV on whether that might be implicated in your particular case!
This error message substantially predates OAuth 2, and is far too confusing. I will change it to avoid this sort of confusion in the future.
Cheers,
John