You see 400 bad request for Password Service Task visible in network trace for the password change request.

identity Manager v15. 

This is a known issue in Siteminder.

Please upgrade Siteminder to version 12.8.08 as per information in the article.

This is a known issue in Siteminder.

Please upgrade Siteminder to version 12.8.08 as per information in the article.

===

Workaround for the issue is to set ALLOW_UNESCAPED_CHARACTERS_IN_URL to true,

Add below JVM options to your IDM. Under your IGA Xpress --> Services --> Identity Manager --> Java Options

-Dorg.wildfly.undertow.ALLOW_UNESCAPED_CHARACTERS_IN_URL=true

IF this is not working change it directly by editing 

/opt/brcm/iga/inst/idm/startup/templates/jboss8.0.xml 

or

/opt/brcm/iga/inst/idm/startup/templates/jboss-latest.xml 

depending on your version of Jboss, by adding entry 

<http-listener name="default" socket-binding="http" allow-unescaped-characters-in-url="true" (...)>

<http-listener name="default" socket-binding="https" allow-unescaped-characters-in-url="true" (...)>

Please take into account this file will be overwitten on every IGA Xpress upgrade.

As per Jboss documentation

• allow-unescaped-characters-in-url If this is true Undertow will accept non-encoded characters that are disallowed by the URI specification. This defaults to false, and in general should not be needed as most clients correctly encode characters.
• Note that setting this to true can be considered a security risk, as allowing non-standard characters can allow request smuggling attacks in some circumstances.

This option will not be added as default option in IGA XPress / IM configuration.

Default way to chage configuration of IGA Xpress or IM configuration is described here.