Most of the plus.* scopes do not work (ie, are ignored) when accessing Google API's with an OAuth1 token. Thus, OAuth1 request for those scopes are currently not allowed. Replacing plus.login by plus.me should solve your problem while still allowing you to obtain users' identifying information (see scopes' documentation).
Hope that helps!