Will talk in points:
# An existing OAuth app which already has xAuth access, works
perfectly in the implementation.
# Created a new OAuth app with Twitter. Got xAuth access for it
# Replaced the implementation's API keys to the new OAuth app's API
# Getting 401 error on OAuth echo attempt with Twitpic.
# If the original API key is used, it works fine.
# "Use Twitter for login" is checked in new OAuth app's settings.
# Requested Twitter to look if it really has access. They verified it
to have xAuth access.
Where's the catch?