Here is a way how it works on WLS (by using the WLS-Authentication for getting the tokens):
Create these Roles in WLS:
OAuth Client Application
OAuth Client Developer
<< the role you defined in ords.create_role() >>
(I'm not sure why you also need OAuth Client Developer)
Create a WLS-user named exactly like given with oauth.create_client(). See the user and password with
select client_id,client_secret from user_ords_clients
Grant the 3 roles from Step1 to the new user.
Now you can get a token by calling ords over the wls by giving the username and password from create_client().
Here's a screenshot from an SOAPUI-Request for getting an token:
It is an additional step to define the user in WLS too, but I don't need to change the WLS-Configuration.
Maybe someone can find this useful.