[SalesForce] salesforce saml bearer oauth flow

I am getting an invalid assertion 400 json response from salesforce when i try get an oauth access token using the saml bearer oauth grant flow.
{"error_description":"invalid assertion","error":"invalid_grant"}

I am following setup instructions from here:
https://login.salesforce.com/help/doc/en/remoteaccess_oauth_SAML_bearer_flow.htm

Now is there anyway of getting more debug information about what is wrong with the assertion ?
I have setup the assertion as per the spec and the document above. The message content type is set to application/x-www-form-urlencoded. I am also url encoding the grant type and the assertion. If i look at my generated assertion in an online base 64 url decoder, i see that i have to url decode the assertion and then base64 decode to see the contents of assertion. This looks fine.
How can i go about finding out what salesforce does not like with the assertion.

Secondly I am not sure of the setup required in salesforce to ensure my connected app is configured correctly to handle the saml bearer flow. Currently i have created a remote access connected app, this app has oauth enabled and i have a consumer key, secret, redirect url(which isnt need in saml bearer flow) and also a digital certificate so that salesforce can decrypt the assertion i send which in encrypted with a private key. I also have a scope of full access enabled.

I really could do with some help showing me exactly what i need to do to get this working or at the very least some sort of way of determining what i am doing wrong. The json message is probably a bit thin in that it would be nice if the particular problem with the assertion was sent back.

Any help with this is much appreciated.
Clive