What is the minimum authority needed to limit an administrative acid to only be able to reset passwords? 

Do one of the following: 

1) TSS ADD(dept) CASECAUT(TSSCMD.USER.REPLACE.PASSWO) (if not already owned) 
The TSS ADD command is limited to 26 character resource names for CASECAUT. 
TSS PER(acid) CASECAUT(TSSCMD.USER.REPLACE.PASSWORD) 

2) Or give the acid MISC8(PWMAINT) admin authority, which authorizes the administrator to do password maintenance on acids within their scope. This will allow the use of the PASSWORD keyword on any command, or the SUSPEND keyword on the REMOVE command, without specifying ACID(MAINTAIN) or MISC1(SUSPEND).