Thanks Chris and Kar. It looks like we have hit the known limitations under enhanced active directory integration.
The non working user directory has it's root configured as an OU (e.g. OU=***,DC=***,DC=***), working user directory is configured as DC=***,DC=***. It looks like since pwdMaxAge and some other properties are properties of default DN they are not available at OU level and SM fails read them and then fails to redirect user for expired password. As soon as I changed non-working directory to default DN pwd expired redirection started working. Eventually I found following line in Admin guide
Here is a line: In the Root field, enter the default Windows domain’s DN as the user directory root. For example:
dc=WindowsDomain,dc=com
Note: If the Root field is set to another value, AD-specific features may not work.
I swear I saw more information somewhere yesterday night but can't seem to find it today.
I am wondering if I can modify schema at OU level and manually set pwdMaxAge will SM be able to read this.
Also BTW setting password policy-password max age to 90 days has no effect. Pwd policy seem to play no role in redirection based on expired password.