The OAuth Authentication policy using Password flow is detailed in the Resolution section below.
 

A working OAuth authentication policy that uses Ping Identity as provider and Salesforce as endpoint.

ALL

<?xml version="1.0" encoding="UTF-8"?>
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
 <ns:AuthenticationByJaas xmlns:ns="http://xsd.tns.tibco.com/governance/policy/action/2009">
 <!-- For password credential flow -->
 <ns:OAuthToken>
 <ns:Provider>PingIdentity</ns:Provider>
 <ns:ClientID>xxxxxxxxxxxxxx</ns:ClientID>
 <ns:ClientSecret>xxxxxxxxxxxxxx</ns:ClientSecret>
  <ns:Username>xxxxxxxxxxxxxx</ns:Username>
  <ns:Password>xxxxxxxxxxxxxx</ns:Password>
  <ns:Scopes></ns:Scopes> 
 <ns:TokenEndpoint>https://test.salesforce.com/services/oauth2/token</ns:TokenEndpoint>
 <ns:GrantType>PASSWORD_CREDENTIAL</ns:GrantType> 
 </ns:OAuthToken>
 </ns:AuthenticationByJaas>
</wsp:Policy>

Note the following.

1). An empty 'Scopes' XML tag is needed to ensure no scope parameter is added to the token request URL.
2). We noticed that CLIENT_CREDENTIALS did not worked with Salesforce.