If you could put an external load balancer in front of PAM, then you could get a kind of HA.
The LB could be configured to forward all traffic to the single node in primary site. If the LB detects that the primary is unavailable, then it could forward all traffic to the single node in the secondary site. Assuming that you're running in "operationally safe" mode, end users can continue to obtain passwords and make connections.
Obviously, administrators will not be able to make any updates as the node in the secondary site is read-only. So you would need to factor in a short down-time to promote that site to primary (or alternatively, you can recover the primary node in a reasonable time frame)