OK, so after hours of trial-error and forum reading, I am going with the claim that "Because the request token and access token requests happen securely, you can use PLAINTEXT there, then switch to using HMAC-SHA1 when generating the signature". The OAuth guide on the YDN site is vague about this, only stating: "if you use PLAINTEXT, append a '%26' - if you use HDMAC-SHA1, just put a '&' ".
Problem is... that begs the question, do I need to generate a signature with which to sign the request token request? The statement above says "dont worry about it, just go PLAINTEXT at first". So I'm going with that.
So now, I've got an access token, (which BTW, the variable 'auth_token_secret' that you use to request the verifier popup window changes when you get the access_token response! My code was not parsing it out of the access token response, so I was using the old one as I moved on, causing all kinds of problems). I am able to generate Base String, Signature, and Authorization Header.