Let's take a Password Composition Policy (PCP) for an application whose minimum password length is 8 , and with a maximum password length of 12. 

Whenever a new password is being generated following that PCP it is observed that its length is always 12 instead of a number of characters ranging from 8 to 12

When first onboarding the account the password length is being allowed at 8 characters or even less.

This is by design. The purpose of a PCP is to establish what restrictions an acceptable password must have. In the example below, if one is onboarding a target account and he is establishing a password the initial password is not validated against the composition policy since it has to be used and validated against the device. Any manual updates to the password must follow the composition policy in the same maner the automated password rotation does. 

However, if CA PAM must create the password itself, it will always try to do so with the maximum possible security. Taking into account the same restrictions regarding characters in the password string, a longer one is usually considered to be more secure, and hence CA PAM will always use the maximum available length in the PCP to create the new password (in the example it will always be 12).