Running the Developer tools while connecting to CA PAM reveals that the login.jsp has a Content Security Policy (CSP) configured with script-src 'self' 'unsafe-inline' 'unsafe-eval' which is commonly considered an insecure configuration
In particular the following links
https://content-security-policy.com/unsafe-inline/
https://csp.withgoogle.com/docs/strict-csp.html
Suggest that such combination of options might potentially allow someone to inject an inline script to run alongside the url and thus is an insecure combination
CA PAM all releases
CA PAM encodes all the user data entered and shown in the UI. This is enough to prevent XSS and eliminate the possible problem coming from this combination of options.