Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. 

Security scan shows that PAM server didn't return a frame-ancestors directive in the Content-Security-Policy (CSP) header. Does it mean PAM is vulnerable to clickjacking attack?

The frame-ancestors directives can be used to indicate whether or not a browser should be allowed to render a page inside a frame. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

PAM 4.x

PAM is not vulnerable to clickjacking attack.

PAM uses X-Frame-Options: SAMEORIGIN header instead of frame-ancestors directive.

This prevents from PAM web pages loading in an iframe hosted by web pages from a different domain.

This is a legacy header but supported by all the major browsers. The only difference between CSP frame-ancestors and X-Frame-Options is the level of granularity it gives over the iframe controls.

Please also review Content Security policy containing script-src 'self' 'unsafe-inline' 'unsafe-eval'