After provisioning API request credentials following instructions in the CA PAM 2.6 Implementation Guide in a CA PAM cluster environment, an attempt to make an external API call using the API request credentials fails with error code 401 and message "Unauthorized: The attempt to retrieve the user's password for login failed. Please check with an administrator for further details.". The session logs contain a message "User *** using API key YYY can't perform GET operations while cluster is stopped ...". But the cluster is ON and in sync.
The customized default password view policy (PVP), which automatically is associated with the target account that is created while the API request credentials are provisioned, had the "Checkout/Checkin" and "Change Password On View" options checked.
Change the default PVP or associate the target accounts for the ApiKey target application with a different PVP that does not have both options set.
This appears to be an issue related to password checkout and API keys... not a conflict between "change on view" and "check out/check in". I was only able to clear the error by disabling password checkout altogether... which is unfortunate as that is the ideal PVP for API-Keys.