Recently my application requested folks to generate new OAuth keys for new scopes, and no one has reported an issue as such. Even for myself, I regenerated my OAuth and the new permission was working as expected. I do see my scope in the call to the API, but, I updated some time back.
When you are checking the API, are you checking immediately or after a few minutes just in case it is a caching item?
EDIT: Never mind, you are saying that you cannot even read user information, I missed that part. Sorry for the confusion.