When PAM rotates a credential it follows a sequence of Verify > Update > Verify.
The first verification is performed using the new password to see if it actually needs to update the target (you may have already done it manually).
Of course this first verify step usually appears as a failed login attempt, and depending upon your domain policies, this could result in a lockout event.
Make sure your domain doesn't lock after a single incorrect password. The default is 3 attempts before locking and this is usually adequate, 2 attempts should work, but locking after a single attempt will prevent PAM from changing passwords.
NOTE: if you follow best practice and create a "master" account in the domain that is used to update the password for all of the other domain accounts you can get around this issue. If you tell PAM to use the master account to verify the password, the lockout won't occur at all. However even with the account verifying it's own password, the password update will unlock the account anyway so it will only be locked for a fraction of a second.
I hope that helps.