I don't have my Kerberos testing lab up and running, so can't say specifically if that is an issue. The bad match error does indicate that the target KDC doesn't like something in the ticket though. I'd check the following things:
- That transitive (two-way) trust is correctly established
- That you're actually talking to the correct target domain KDC
- That your delegation account is identified by a userPrincipalName and not a sAMAccountName. I didn't mention this earlier, but it's imperative that the Kerberos SSO delegation account is specified using a UPN format account@domain' versus 'domain\account' or simply 'account'.