Set the "Use elevated privileges with authentication" flag in the account details for user1, the account that runs the sudo command to change another account's password.
If the sudo command on the device is configured to ask for the password of the account that runs the command first, which is the default and recommended configuration for sudo, then CA PAM needs to be configured accordingly.
When the "Use elevated privileges with authentication" flag is set for the account that logs on, PAM will know that after issuing the "sudo passwd <other account>" command it first has to provide the logged-on user's password, before sending the new password for the account to be changed.