From the description, it seems like that you are using local ACS database.
You can check the variety of Password change that ACS can support,
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/3.3/user/guide/g.html#wp16647
Basically there are four types,
First two are only applicable, when we have user in Windows Database.
Third one is only applicable if we have user in local database, but we are using Tacacs+ as the authentication protocol.
And the last one says,
"Password Aging for Transit Sessions-Users must be in the CiscoSecure user database. Users must use a PPP dialup client. Further, the end-user client must have CiscoSecure Authentication Agent (CAA) installed."
From my experience, there has been only one/two instances out of ten where I have seen this kind of setup working, when we have installed CAA and Cisco VPN Client together, and user is on local ACS database, to get it to work.
And this was in the case when Cu were using ACS 3.3.x and some lower version of VPN Client.
But if you have user on Window database, it works like a charm, using password management command on ASA,
hostname(config)# tunnel-group general-attributes
hostname(config-tunnel-general)# password-management
CAA is on installation/Upgrade CD of ACS SE.
Summarizing, I am not sure if this will work using local database of ACS.
Other solution that you can look into is UCP.
A utility that is used for changing password for local users on ACS database.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/3.3/installation/guide/passwords/ucp_1.html
Again, UCP is not that flexible, i.e., you cannot change password through this utility, if password has already been expired etc.
HTH
Prem