Customer has used Windows servers as NTP Servers. Although there are no official restrictions to this configuration, on most environments Windows Time Servers will fail to provide CA PAM a correct time response.
Windows Time Servers are not standard NTP implementations (details here) and, because of this, CA PAM fails to sync its clock. The screenshot below shows an example of Windows Time Servers being rejected by CA PAM. The configuration is correct, the servers are reachable, but they are unable to sync:
To get rid of this issue we recommend the use of standard NTP servers, Unix/Linux based.