Here's a modified diagram of below, showing the additional steps that happen behind the scenes. A few more notes and caveats:

• the flow for this diagram comes from here; all mistakes are mine I'm sure
• this diagram is made from the perspective of how I think our application has to do it; there may be more to OpenID that I'm showing
• new parts are in redish
  
• I've try to simplify things so that "new to OpenID users" can easily understand what's going on. This required a couple of shortcuts:
• David's Identity Page (i.e. http://davidjanes.myopenid.com) doesn't have to on the same server or domain as the server that's actually doing the authentication (MyOpenID.com). David could, for example, use http://www.davidjanes.com to login and still get MyOpenID to do the login. We'll dedicate a whole post to this so stand by.
• The diagram uses the preferred login flow that uses a "Diffie Hellman exchange" to create the shared secret (a diagram of the gory details are here in comp-sci hieroglyphics). There's also a "dumb mode" that skips the shared secret stage and let's the "consumer" (i.e. the role BlogMatrix.com is playing) validate the login after the final redirect.
• If the MyOpenID has never seen David log in from BlogMatrix before, it is supposed to confirm first with David that he trusts BlogMatrix with his identity

You can follow all my posts on this subject at this page or this RSS feed.