HI,
This is not supported OOB by CA so far.
The only one that SM is integrating with is CA SSO (site minder)
That say SDM support to use the REMOTE_USER for the authentication so you may be able to use any external that can pass it including AJP connector to do.
Note that using AJP you need to make sure that tomcat authentication is set to false on your ajp connector by adding tomcatAuthentication="false" for the REMOTE_USER to be passed on.
Never directly tried using AJP but I don't see why this will not work. Another option is to use a reverse proxy that support 2FA in front of SDM( my prefered method).
Hope this help.
/J