The dsameuser is present in two notable locations:
(1) Globally in the specialrepo, amongst amadmin, anonymous user etc.
(2) Per server in the serverconfigxml block containing puser,dsameuser and directory manager user/password combinations.
On startup OpenAM writes its bootstrap file, and it uses the local (2) credentials to write the dsameuser details.
When you use ssoadm it reads these credentials from the bootstrap file and uses them to authenticate to /openam/authservice
On a basic/fresh install of OpenAM (embedded config/user store). If you change the dsameuser password in (2), e.g:
Reboot OpenAM and attempt to use ssoadm, it will still use the password in bootstrap. On the first authentication it will let ssoadm in with this password. On subsequent attempts it matches against the specialrepo user password (just changed) and fails.
The solution is obviously to keep both local and global dsameuser passwords the same, however this behaviour is inconsistent. Also if OpenAM always used the local dsameuser password to authenticate authservice requests, the bootstrap would always 'work' with ssoadm.