Make extra sure that the Access-Control-Expose-Headers includes access-token, expiry, token-type, uid, and client (as is set in the example above by the:expose param). If your client experiences erroneous 401 responses, this is likely the cause.
CORS may not be possible with older browsers (IE8, IE9). I usually set up a proxy for those browsers. See the ng-token-auth readme or the jToker readme for more information.