PAM Version 3.2 - Perform multiple credential changes from Target Account Screen (Generate new Credential -> Save). Rotations would succeed 4 our of 5 times, but periodically there is an error of Invalid Request and the account does not rotate and goes out of sync. The account will verify and then when generating a new credential it will succeed.
The problem was caused by a special character, &, which happened to be included in every 4th or 5th new generated password. The character is not accepted by the ESX target server.
Remove any character not accepted by the target device from the Password Composition Policy associated with the target application for the problem target accounts.