Hi Vlad,
Looking at the wizard when you select the primary authentication as OTP by email or sms, you don't get the option of LDAP as secondary authentication after risk analysis is invoked.
This will require customization of the AFM therefore please reach out to your account team with this request so that they can reach to the respective CA teams. Your account team may reach out to the CA global deliveries team.
For your question on documentation on afm customization, there is no documentation on that.
Thanks
Awijit