A quick update to my own reply from earlier:
I was told recently when reviewing this with a colleague that if the assertion fails, the reasonCode will be set to the same code returned from the SiteMinder Java SDK. That SDK is documented here, for reference: https://support.ca.com/cadocs/0/CA%20SiteMinder%20r12%20SP2-ENU/Bookshelf_Files/HTML/javadoc-sm/com/netegrity/sdk/dmsapi/SmDmsUser.html#changePassword(java.lang.String,%20java.lang.String,%20boolean)
You'll notice that from the returned reasonCode's listed in that SDK, it definitely works with a password policy that may be set on the CA SSO server.
From the SDK notes, here are the possible reasonCode's from a change request that doesn't match a password policy set:
If the change password request fails, SmApiResult may contain one of the reason codes below. These reason codes indicate a violation of a password policy:
0. No failure reason.
1. Change of password is required.
1000. General failure.
1001. Password is too short.
1002. Password is too long.
1003. The old password is bad.
1004. Password has already been used.
1005. Password is too similar to a previous password.
1006. Password has too many repeating characters.
1007. Password contains a disallowed word from the password dictionary.
1008. Password has too few alphabetic characters.
1009. Password has too few numeric characters.
1010. Password has too few alphanumeric characters.
1011. Password has too few punctuation mark characters.
1012. Password has too few non-printable characters.
1013. Password has too few non-alphanumeric characters.
1014. Password contains text that matches too many consecutive characters in the user's directory entry.
1015. The grace period has been exceeded for allowing user login after the user's password has expired.
1016. PIN is a system-generated PIN.
1017. PIN is too long.
1021. PIN is accepted.
1022. Password has too few lower case letters.
1023. Password has too few upper case letters.
1024. Password cannot contain lower case letters.
1025. Password cannot contain upper case letters.
1026. Password cannot contain digit characters.
1027. Password cannot contain punctuation characters.
1028. Password cannot contain non-printable characters.
1029. Password cannot contain non-alphanumeric characters.
1030. Password cannot contain alphanumeric characters.
1031. Password must not match the disallowed regular expression(s).
1032. Password does not match the required regular expression(s)
1033. PIN is too short.
1034. PIN can contain only digit characters.
1035. PIN can contain only alphanumeric characters.