The solution is to NOT do what the instructions call for! (This is the second time being too truthful is hurting me, thinking like an NSA contractor TRYING to show one is trustworthy.)
Sample instructions suggest, for the webAPI part of the equation that you use a different signin and appid (than then name of the redirect URI at the mobile site, for aad) DON’T DO IT. HAVE ALL THREE THE SAME.
Ignore step 8, of http://azure.microsoft.com/en-us/documentation/articles/mobile-services-how-to-register-active-directory-authentication/ when having “sso”. just use aad.