A user tries to login with their user ID, they want to be able to replace their one-time-use password with a permanent password during login attempt. 

Current behavior is , User ID authenticates successfully with the temporary password on the login page, User completes MFA successfully ,User is prompted with the Password Change Request form  (a SiteMinder form) to replace their temporary password with a permanent password.

This form displays an error and prevents the user from completing the password change.  Error messages suggests that SiteMinder is unable to accept the temporary password as the "old password" . Here are steps to reproduce the issue-

• Set up password policy in web agent 12.52 SP1 CR11 web server (ex: apache web server)
• Set force Password Change in next login in SiteMinder Admin UI
• Protect the target page with SiteMinder and VIP integration
• After VIP MFA, it redirect to password change screen in web server (12.52 SP1 CR11)
• The password change does not work.

This is the error observed in the log.

In the Policy Server Trace log, this is observed 

[merpa01][merpa01][][CA Directory][ Token prerequisite not met, Invalid Token.][][][][][][Apache][** Status: Authentication Attempt Failed.  Token prerequisite not met, Invalid Token.][][][][][]

WebAgent - SiteMinder 12.52 SP1 CR11

A fix is provided and attached to this KB article which addresses this issue.