The built-in Delegated Administrator Role includes the "Approve CAC User" privilege. When a new user logs on with the Smart Card for the first time, it creates a new user entry w/o group membership that has to be approved before the user can access PAM. The "Approve CAC User" privilege used to be all that is needed to do that. But it does not work in 3.1.1 or 3.2. The delegated administrator gets a PAM-UI-2411 error stating that the user must belong to one of the user groups that the admin manages. A new CAC user does not belong to any user group yet. This worked in 2.8.
PAM 3.1.1, 3.1.2 or PAM 3.2
PAM Engineering found and fixed the problem in the PAM source base. The fix is scheduled to be included in the next maintenance releases 3.1.3 and 3.2.2, and in future PAM releases and maintenance patches. As of July 16, 2018, no hotfixes are available to resolve the problem.