It's circumstantial but it certainly would suggest there's not enough consistency to rely on the IP address. Maybe it could be worth monitoring AOL IP addresses / session mismatches to get a clearer picture.
Well it's about doing the thing "right" or not. Either you want a solution that "mostly works for most peoples" or you want one that, by design, works for everybody. IMHO, if you use a signed identification token that automatically expires, and you always handle it over SSL, I don't see much need for IP/user agent verification.