Hi Vasu,
As Miquel said, the catalina (Tomcat) logs would be the place to check in PAM. First you should set the log level to INFO, then reproduce the issue. Then you can find errors like the one below which may tell you more about why it failed:
INFO: Failed authentication to Active Directory using account 'jondu01' due to error '[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580]' javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580]
In this case I got LDAP error code 49, with sub-error 52e. A quick google search shows that this specific error means "Invalid credentials". After updating credentials it works fine.
Or like this one:
SEVERE: Failed to update password in Active Directory javax.naming.NoPermissionException: [LDAP: error code 50 - 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ]; remaining name 'CN=administrator,CN=Users,DC=hilltop,DC=lab'
In this case I got error code 50 (INSUFF_ACCESS_RIGHTS), which means the account I tried to use for password rotation does not have the proper privileges.
If you choose to do this, remember to set the log level back to WARNING when you are done or you may run into HDD space problems!
In AD you would check the Event Viewer Security Log for logon events. It is a bit harder to check through AD though, because these are local logs on the DC, meaning you would need to check every DC for the log & it will not go to the same one every time (unless there is only one DC in the environment).
You should also ensure that your AD is able to use LDAP over SSL (usually on port 636). If not, WDS will not work properly and would display generic messages like the ones you are seeing.
Hope this helps,
-Christian