Are you using a direct attribute instead of a server-derived rule to get from the PF attribute to the role? Is the RFC3576 coming from the same IP as a defined RADIUS server for that AAA profile? Over here the answer to both those questions is no, and what we've had to do is define the RFC3576 server as both an rfc server and a RADIUS auth/acct server in the AAA profile, and then turn off the auth/acct instance we defined by using the "mode" switch which is apparently what they decided to call the enable/disable switch.
(We use disconnect-requests instead of CoAs but in theory you'd have
to do the same, because we do hop VLANs, but ISTR seeing CoAs work during initial testing.)