Hi Melwin,
Greetings !! 
Not sure if I understand the exact scenario of yours, but since I have implemented something similar, let me see if I can be of any help.
We have implemented something on similar lines in our environment. Its Windows environment, SSO using trusted Auth mechanism using Siteminder for authentication purpose.
We have not come across this scenario mentioned above, (let me check on this behavior and get back to you).
1) For us, when the user logs in for the first time he needs to enter the credentials for authenticating the Siteminder once. Do your users need to authenticate at-least for the first time against the IBM tivoli access manager ?
2) For us, I guess, after the session timeout, the user would be required to authenticate against the Siteminder, but that seems okay to me. Is that something you are trying to avoid ? I really do not see it as an issue, though.
3) You mentioned that the user do not know or remember their password, and thats why you are trying to fix this. For us, the ONLY password the user need to enter are the credentials they use to login into their Laptop. So they DO NOT have to remember anything else, which is why SSO has configured in first place.
Let me know your thoughts.
Thanks & Regards,
Monish