Currently PWResetQuestion function doesn't work for user datastore other than SunDS because it's using "passwordExpirationTime", which is operational/virtual attribute in DSEE.
Also, steps on how to use "Force Change Password on Next Login" is not clear/undocumented.
How to recreate :
1. login to admin console
2. [Configuration] -> [ Global] -> "Password Reset" link
3. check "Force Change Password on Next Login:"
4. click [Save] button (you need to configure secret QA setting as well)
5. create test user "testuser01" under [Subjects] tab
6. edit "testuser01" and click "Password Reset Options: Edit" link
7. check "Force Change Password on Next Login:"
8. click [Save] button
9. access /<openam_context>/UI/Login and login as "testuser01"
10. provide question and answer
11. click [Save]
12. access /ui/PWResetQuestion
13. provide "testuser01" and click [Next]
14. provide answer to secret questions and click [OK]
At this point, PWResetQuestionModelImpl is kicked. If "Force Change Password on Next Login" is enabled on user entry, then PWResetQuestionModelImpl will set "passwordExpirationTime: 19700101000000Z" to user's entry. This will make user's password expire and user will be forced to change password if OpenAM's user datastore is SunDS.
Unfortunately, this doesn't work for other types of datastore.