Documentation mainly references Password View Policies, which apply to password disclosure.

Is there an equivalent approval mechanism for RDP, SSH, or Web Portal access, where users must request access and an approver must approve the session before connection, without showing the password?

All Supported versions of CA PAM

Dual Authentication - If being configured as part of the Password View Policy (PVP), works the same way for any type of connection ie., for SSH / RDP / Web Portal Access. 
If the user is a standard user, then this user will not have the ability to view the password.

No special configuration changes are required to associate the PVP with ant of the access methods.