By default the adminUI has no feature like password policy. It cannot lock/disable the administrator account after few times of login failure.

Configure siteminder to protect adminUI, then password policy can be applied to adminUI.

The following example will use Access Gateway as proxy server.

1. if HTTPS is used, ensure the following ACO of the access gateway: usesecurecookie=Yes and SameSite=None (or SameSite=Lax), otherwise, after step 3 configure the external admin store, the Chorme will block the default basic authentication for the adminUI.

2. configure access gateway to redirect (from a gateway url) to old adminui url as per the document,
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/start-the-administrative-ui-and-manage-objects/protect-the-administrative-ui-with-siteminder.html
look at section "Configure the Access Gateway to Proxy Requests to the UI"

NOTE1: the proxyrules.xml example in the document is not complete, need to add/keep following lines at the beginning of the proxyrules.xml file,
<?xml version="1.0"?>
<?cocoon-process type="xslt"?>
<!DOCTYPE nete:proxyrules SYSTEM "file:////opt/CA/secure-proxy/proxy-engine/conf/dtd/proxyrules.dtd">

NOTE2:in server.conf, ensure enableproxypreservehost="no"

3. configure external admin store (refer to the section "Enable Administrative Authentication" in above document )

Login adminUI via Access gateway, navigate to Administration > Admin UI > Configure Administrative Authentication
CA Single Sign-On agent: the agent of access gateway
Directory type: the user directory for adminUI administrators
Connection Details: for user directory of adminUI administrators
Administrative User Object Classes: (use default 4 objects: organizationperson,person,top,user)
attrubute mapping:
Disabled State: an attribute in the user directory to indicate if the user is disabled (needed for password policy -- to lock the account after specified numbers of fail login)
other attr mapping use default values.
select super user: for adminUI

After finish the wizard, it auto creates a domain named "CA Single Sign-OnDomain" with a corresponding realm and rule. By default, the new domain protects the Administrative UI with the Basic authentication scheme instead of the default adminUI login page. It also creates the "SiteMinder Administrators" user directory for adminUI.

4. Wait for adminUI restart -- don't close the browser, otherwise, some backgroud tasks might not be finished and that will cause problem.

5. Login adminUI, configure auth scheme for adminui (password policies enabled), such as "HTML Form Template" instead of basic authentication
6. create new password policy for "SiteMinder Administrators" user directory
7. Restart policy server, restart adminui, restart access gateway

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/start-the-administrative-ui-and-manage-objects/protect-the-administrative-ui-with-siteminder.html

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/password-services-and-policies/how-to-configure-password-policies.html