Thanks all for your patience and information. It's helped narrow things down. It seems CB is a little more picky with their redirection URLs then we realized, but on investigation, it's a pretty easy fix. If interested to implement now, please edit the /modules/mod_sclogin/tmpl/login_vertical.php (or login_horizontal.php, depending on your settings). In either file, around line 70, you'll see:
echo '<input type="hidden" name="return" value="B:' . $jLoginUrl . '"/>';
Update that to:
echo '<input type="hidden" name="return" value="B:' . base64_encode(cbSef(base64_decode($jLoginUrl))) . '"/>';
Please let me know how that goes. The plan is to include this in the release next week, but having confirmation of the fix from real CB sites would be very helpful.
Thanks,
Alex