ok, well it appears that I did miss something fairly obvious...
this string (which is being passed from another system as a session id) was not URL encoded BEFORE being
delivered to my site. So param is decoding it properly and returning what is essentially junk. So if I
passed them anywhere else, the session id is mucked up.
so the calling system needs to URL encode this first, so it looks like:
in reply to CGI param character strangeness
which then (properly) produces from the same program above:
sid is: %32%2D%9F%A5%54%12%23%AF%CE%C7%D6%D0%91%AB