Cognito Userpool as identy provider with client credentials works only after saving in aws console

I’m deploying my application with a cognito user pool for auth2 authentication with client credentials.
After deploying with serverless I try to get a new access token via postman and get the answer “invalid grant”. If I go to the aws console, to the app client page, reload it and press save (without changing anything) it works. I can request the access token and can connect to my api gateway.
This happens everytime when I deploy, which prevents me from automatic deployment. i always have to save in the amazon console to get it working.
Here is my serverless.yml:
resources:
Resources:

UserPoolDomain:
  Type: AWS::Cognito::UserPoolDomain
  Properties:
    UserPoolId:
      Ref: CognitoUserPool
    Domain: "myapp-user-pool-domain"

CognitoUserPool:
  Type: "AWS::Cognito::UserPool"
  Properties:
    MfaConfiguration: OFF
    UserPoolName: myapp-user-pool
    AdminCreateUserConfig:
      AllowAdminCreateUserOnly: true
    UsernameAttributes:
      - email


CognitoUserPoolClient:
  Type: "AWS::Cognito::UserPoolClient"
  Properties:
    ClientName: myapp-user-pool-client
    GenerateSecret: True
    UserPoolId:
      Ref: CognitoUserPool
    AllowedOAuthFlows: [ "client_credentials"]
    ExplicitAuthFlows: ["ALLOW_USER_PASSWORD_AUTH","ALLOW_REFRESH_TOKEN_AUTH" ]
    SupportedIdentityProviders: [ "COGNITO" ]
    AllowedOAuthScopes: [ "myapp/odata4","myapp/trigger" ]
    PreventUserExistenceErrors: ENABLED

ApiGatewayAuthorizer:
  DependsOn:
    - ApiGatewayRestApi
  Type: AWS::ApiGateway::Authorizer
  Properties:
    Name: cognito-authorizer
    IdentitySource: method.request.header.Authorization
    RestApiId:
      Ref: ApiGatewayRestApi
    Type: COGNITO_USER_POOLS
    ProviderARNs:
      - Fn::GetAtt: [ CognitoUserPool, Arn ]

UserPoolResourceServer:
  Type: AWS::Cognito::UserPoolResourceServer
  Properties:
    UserPoolId:
      Ref: CognitoUserPool
    Identifier: "myapp"
    Name: "myapp"
    Scopes:
      - ScopeName: "results"
        ScopeDescription: "provides myapp results"
      - ScopeName: "trigger"
        ScopeDescription: "trigger for myapp start"

Has someone an idea? What is changed by pressing the save button in aws?