When using a PAM endpoint above version 2.5, password changes in IM also force a password change in PAM itself. So the user logs into PAM and must change their password a second time.
Identity Manager with PAM endpoints running PAM higher than 2.5.
The root cause of this issue is latest versions of PAM (above 2.5), is expecting an extra attribute 'resetPasswordFlag' set to 't' or 'f' along with password update. If the value is not set and null then PAM is considering this attribute value as true and forcing the user to change the password on login after password change.
The Identity Manager code has been adjusted to also send the password flag with password resets. This functionality is available in Identity Manager 14.2 CP2, please upgrade if this is impacting your system.