I would suggest a couple of things
1. Log in to the cisco router and run a show run to make sure the tacacs+ server is selected
2. Login to the tacacs+ acs server user interface to look into the user you are trying to manage and see its properties
3. Retry the login procedure but outside CA PAM. What PAM is doing when managing a tacacs+ account is basically hitting an Enter whenever it receives the prompt from the CISCO router, and that triggers a Change your password prompt. See if when you do this manually for that user, by ssh'ing to the cisco router, you are able to hit enter and change the password. If you get an error there, don't go further: if you can't do it directly from outside pam pam won't be able to do it either
4. If 3 works, then if you have a local user to tacacs+ (one which is not ad integrated) try that one. if that one works, then the problem will be with the communication with AD
5. If 3 or 4 are unclear or still do not work, repeat the procedure and ge the catalina log. That one will tell you exactly what PAM is doing
Ultimately, if you can't sort it out, please open a case with CA Support. We will be happy to assist :-)