See user's list discussion http://marc.info/?l=shibboleth-users&m=146956730325829&w=2
The c14 of the presented Assertion token's Subject as performed by ProcessDelegatedAssertion is improperly using the current requesting relying party entityID as the SubjectCanonicalizationContext#requesterId. This fails for transient NameIDs, as they were issued to a different RP. Probably also fails for persistent and any other pairwise NameID.
Should probably be based on the SPNameQualifier or other determination of to whom the ID was issued. Alternatively Scott comments that perhaps the entityID check could be relaxed in this case.
The SAML presenter in the Liberty SSOS case would seem to always be the pairwise recipient of the token's NameID, as the NameID is always re-generated on each trip through the SSOS flow. But need to confirm.