Once you get the code, try swapping out the code for a token using Incognito mode in whatever browser you are logged in with. It seems that if the browser maintains session state (eg. you being logged in), it will throw the bad client credentials message you are seeing on the second step where you swap out the code for a token.
Based on your example, you might run step 1 from a normal Chrome window, then open up Chrome Incognito (Ctrl+Shift+N) and execute step 2.
Alternatively, you could open up your Chrome Developer tools, open the Resources tab, expand Cookies and select the SmartThings entry, and delete the JSESSIONID cookie between each call.
