For CA PAM to be able to control a MySQL account's password it is necessary to first setup a master account in MySQL and PAM accordingly.

Note:
An account name in MySQL consists of a username and the name of the client host from which the user must connect to the server.
MySQL account names have the format 'user_name'@'host_name'. 
It is possible to use for the host_name the % wildcard character to set up an account that enables the user to connect from any host in an entire domain or only a subnet. 
In case of a PAM Cluster (e.g. pam1.mysqlhost.example.com and pam2.mysqlhost.example.com)  the master account needs to be able to login from any node of the cluster to the database.

Hence, it is necessary to create the master account in MySQL e.g. the following way:

CREATE USER 'pwd_admin'@'pam%.mysqlhost.example.com' IDENTIFIED BY 'some_pass';
GRANT ALL PRIVILEGES ON *.* TO 'pwd_admin'@'pam%.mysqlhost.example.com' WITH GRANT OPTION;
FLUSH PRIVILEGES;

The master account can then be setup in PAM e.g.

The actual MySQL target account to control e.g. is 'monty' and is allowed to login from any host, i.e.

[mysql]> SELECT User, Host FROM mysql.user WHERE USER = 'monty';
+-------+------+
| User  | Host |
+-------+------+
| monty | %    |
+-------+------+

It needs to be setup in PAM accordingly:

Note, only when defining a master account ("Use the following account to change password") for a MySQL target account it is possible to specify the host_name Qualifier of this account.