What are some documented best practices for password rotation. Is there a whitepaper or published brief to support this best practice
What CA product are you referring to? I think there's different based on what product you are using.
There is no right answer to this question.
Best is not always functional. Worst is insecure. Somewhere in-between the organization decides what best meets it's needs.
Length: How long is too long or too short?
Retention: How frequent is too frequent, or not frequent enough?
Complexity: How complex should it be?
Black Lists: What words or combination or words should be disallowed.
Passwords which are too complex and change too frequently may cause an increase in lockouts, resets, and possibly calls to the helpdesk. Too simply or change to infrequently could pose a security risk. CA Siteminder/Single Sign On will allow you to tune your Password Policies to meet the needs of your organization.