We're running a Policy Server and we'd like to get a way to show the
user in the browser the failed logins tentative amount before he or
she successfully logs in.

How can we do it ?

Policy Server 12.8SP3 on RedHat 7;

At first glance, the Advanced Password Services provides the data for
that. You have to customize then your web page or application to get
the data from the User Store. As customization, you might need to
engage our Services department for guidance.

Here the extract from documentation mentioning that : 

  smapsFailuresSinceLastLogin

    "Note that if your site wishes to display failure count information on
     a user's screen, you should use smapsFailuresSincePreviousLogin, since
     the user just logged in and this value has been cleared."

  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/advanced-password-services-configuration/user-directories-schema-storage-and-capabilities/schema-amp-storage.html

And from the Policy Server bin/ folder, you'll find the APS.cfg files
which holds the full configuration of Advanced Password Services. You
might want to check the section :

##FAILURE COUNT##

For full documentation about this feature, we invite you to read the
following section :

  Advanced Password Services Configuration
  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/advanced-password-services-configuration.html

We invite you also to get in touch with our Services department to get
their experience in customizing the application with APS as some
restricted API are available throught them.

  Application Programming Interface

    Starting with Version 3.0, APS provides a true Application
    Programming Interface (API). This interface does not provide a
    generic interface to updating directories; rather, it provides
    programmatic access to APS' password evaluation capabilities and
    run-time authentication checking.

    The API is "housed" in a library called APSAPI (under Windows,
    APSAPI.DLL, and under Solaris, libAPSAPI.so). This library and the
    required C/C++ language header file, are installed with APS on the
    Policy Server under the SDK directory.

    The API is supplied for C/C++ and COM only. If it must be called
    from Java, it is up to the site to build a JNI interface to the API,
    though a JNI interface may be provided with a future release. It is
    not possible at this time to produce a native Java API, because the
    APS API calls into the CA Single Sign-On Agent API, which is C/C++
    only. Thus, a JNI call must be made at that point. The CA Single
    Sign-On Agent API remains C/C++ only for security reasons.

    CA Professional Services can be contracted to write programs that
    use this API and can be contracted to help architect applications
    that use it. However, we do not provide direct support for
    customer-written programs that use the API. Since APS includes
    utilities (such as SmCPW and APSAdmin) that call the API, the API
    itself can be tested cleanly without using customer code. Failures
    in customer code should be tested using a CA-supplied interface
    before calling for support.

  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/advanced-password-services-configuration/application-programming-interface.html

More, you'll find the libraries indicated above in the folder :

On linux :

  {policy_server_home}/APS_SDK

  APSAPI.h
  libAPSAPI.so

Compiling & Linking

  The APSAPI package includes a file called APSAPI.h, which contains
  all of the function definitions for the API. This file must be
  included in your source code in order to declare the functions.  When
  linking under Windows, you will need APSAPI.lib (also provided with
  the APSAPI kit). This file contains information that the linker needs
  to connect your program to APSAPI.DLL.  Under Solaris, you can specify
  libAPSAPI.so in your makefile for linking purposes.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/advanced-password-services-configuration/application-programming-interface/compiling-amp-linking.html