SAP - user locked out... or not?

In our R/3 system, we are using a standard IBM Security Verify Directory Server (SVDS) for user authentication. We are also using SAP Secure Network Server (SNC) and Secure Login Client (SLC) to achieve an SAP so called SSO. The workflow is simple:

1. User in SAP Logon clicks on the system they want to log in.
2. SLC client intercepts the request and verify, that the SLC client has a configured profile for and if yes, they are providing a login prompt.
3. The login prompt is filled by user with the credentials they have in IBM SVDS.
4. If no, flow terminates and error message displayed.
5. If yes, An 8 hours long X.509 certificate is issued by the SNC server for the user, and they can logon into the system based on the SVDS credentials.

Sometimes however, the user is active and has the proper credentials in SVDS, still the SNC server shows "User account is locked" error message on the SLC login screen.

With circumstances of unknown, the only solution for this is to allow a logon for the problematic user on the host where SNC is running with direct password. Once they were able to login with direct password, and then revert it back to use SNC, the whole flow is working.

So in a nutshell:

1. Unlock the user if locked on SNC hosted instance.
2. Give them a direct password on that host + allow GUI login in SU01.
3. Then with this password the user must log in to SNC hosted instance in GUI, change their password, log out.
4. Then everything is back on SNC hosted instance (GUI direct login prohibited, password deactivated).
5. Optional password change on self service interface if any.
6. And it will be good... There is some bug on SNC causing issue like this.