so the error you are getting is:
Security header is not valid
This will happen if the API Credentials being used are for the sand box and you are using the live server or if the api is for the live server and you are using the sand box.
Where the problem does not occur until you click the confirm button on the pp_confim.php page, the problem is in the Process Express Checkout server behavior.
In the Server behaviors list, double click the Process transaction with PayPal Express checkout server behavior. Double check that the API credentials in this server behavior are the same as in the Get Payer Profile fro PayPal Express Checkout server behavior and that the sand box setting is the same as well.