By serendipity I found the answer.
In order for the projects to show in the API return, the user needs to have the permission "Browse Projects" and permission "create issues" set for each of the projects they should have access to. Being an administrator of a project doesn't automatically grant that permission instead it is often inherited from another role e.g. "Users".
However, there is also a nasty undocumented bug/feature in JIRA 5.2 around authentication using Oauth. Specifically, JIRA oauth in that version requires the use of query parameters for the oauth parameters. It fails if you use POST parameters for the oauth parameters.
Unfortunately, in that version of JIRA at least, /createmeta API call will return a 200 status and an empty response even if you are not authenticated rather than an expected 401 status code.