I suspect that you have some funny combination of login* system parameters and /or data inconsistency in USR02 which are confusing the password mechanism.
An imaginable scenario is what you have for login/password_change_for_SSO? This could be destroying the password (the user actually always has a possibility to do that, so faulty configuration could also be doing it programmatically for him).
So take a closer look at what is happening to field USR02-CODVN when this problem happens.
BTW: Calling programs can also do many stupid things with return messages. So the problem might not be USR02 related at all, or not even the APIs to perform remote logins.
Cheers,
Julius