Although I still believe what I wrote in which I said that the use of wp_nonce in the last steps of the WordPress Automatic Upgrade plugin is an unnecessary precaution, I am puzzled why it did not work. According to Mark’s post on nonces, it sounds like in theory this "number use once" should still be valid if you are forced to log in again. Here is what he wrote.
They are unique to the WordPress install, to the WordPress user, to the action, to the object of the action, and to the time of the action (24 hour window). That means that if any of these things changes, the nonce is invalid.
I guess that if we work through the logic, the only thing I can see that has changed is that the user has logged in again. I must conclude that it is identifying the user by something other than the username. Hmm… This is a puzzle.