Also, in the spirit of “most common oops,” be certain that your user-agent does have a cookie-jar, that it does follow redirects, and that it does capture and properly return all GET-variables. I suggest that you perform a manual login while using a browser-debugger such as Firebug, and note exactly where and how authentication tokens are being exchanged. Sometimes they are “in-band” to the SOAP, and sometimes, “out-of-band.” It can be quite difficult to predict what a particular designer might have done. Once you know, similarly inspect your code to be certain that it does exactly the same, for both error and non-error cases, and that it knows when to give-up.
I find it useful to create a “mock host” in Perl for testing purposes. Once you know exactly what the real host does, you build a small Perl script that you can connect-to over an appropriate localhost port, and bounce your client against that. The mock-host will never lock you out. (Unless, of course, you need to mock that behavior too, for testing purposes.)
Finally, note that tools like Wireshark cannot help you with encrypted (https ...) content, whereas a browser debugger can.