In many environments passwords are set to expire after a period of time, usually for security purposes. For example; Active Directory includes the GPO option "Maximum password age". When a password expires it can no longer be used by CA PAM since it will fail to authenticate. To ensure this never happens PAM has a Password Expiration feature that includes an option to force rotate passwords when they expire.
Tip: For an even safer configuration it is possible to set PAM to use an administrative account to rotate passwords instead of the account rotating its own password. This way in case there ever is a problem with the accounts own password the rotation should still work as long as the administrative account is still properly working.
Creating Password Composition Policies (& enabling password expiration):
Use an Alternate Account to Change Passwords: