I posted about this issue on the Moodle forums, and corresponded with Petr Skoda... here's the thread:
http://moodle.org/mod/forum/discuss.php?d=105891

And here's the short summary:

Several of our users have lost forum posts when they got an "Incorrect sesskey" message. The error message is in the formslib.php... it is thrown when Moodle believes the form they are submitting was not generated for them. (I.e., sesskey in the hidden form field does not match sesskey stored in the user's session data.)

The error is happening because, for some reason, the login/index.php page is being requested by these users when they open a second browser tab or window. In Firefox, all browser windows and tabs share the same session.. and somehow the second browser ends up passing through the SSO sign-in process, and executing the code in login/index.php. You can reproduce this on any Moodle site with or without SSO, by opening a second browser window, requesting the login/php.php page yourself, and entering your username and password.

The downstream code in /login/index.php sets a random sesskey, and stores it in the session. So the users are having the sesskey changed for their existing session... and when they try to submit a forum post that they left open in the first browser window, it fails with the sesskey mismatch.

The fix is very simple:

In login/index.php, add this, around line 45 (after the auth_instructions stuff).

// check if the user is already logged in
// if so, skip the login process... otherwise we can mess up
// the existing sesskey and other session data

if (isloggedin()) {
redirect($CFG->wwwroot.'/index.php');
}

After implementing this fix on our site, the sesskey errors have stopped. (We were previously seeing about six a day).