Account Lockout functionality only affects Authentication. Current active sessions are still able to be used. This is a Request for Enhancement to the Account Lockout feature for AM to remove or invalidate the active sessions for a user who gets locked out.
For example given a username:
1 - Search and delete all active tokens in CTS
2 - Set inetUserStatus (or equivalent) to Inactive
3 - Audit the above somewhere
Either the API (better) or direct LDAP calls could be used for this.