I'm seeing the same thing. If I use Basic Auth, everything works fine. If I use OpenAuth, I get the rate limit message.
Theory: when you're signed in, the rate limit is per-user, and if you're not signed in, the rate limit is per-IP address. I think the OpenAuth mechanism is somehow not able to determine the user's info, and so uses the IP-based rate limit instead. Does anybody from Twitter read this list? Is there another forum where I can ask about this?