Hi Sarwan,
I believe here we are talking about basic password services (BPS).
If that is the case, the logic is pretty simple. Here is how it works:
1) After the max failed login attempts user is disabled (disabled flag is set).
Additionally, the password data field (SiteMinder password blob) is updated to set "Disabled Timestamp" value.
2) Now, when the user tries to login, if the disabled flag is set, it will check when was it disabled ( from the blob) and calculate if it is time to enable the user based on the user lockout duration configured in the password policy.
So, as you can see the check happens every time user attempts to login and the user is enabled during the first login attempt after the lockout duration as configured in the password policy. User are not enabled automatically.