Update - issue is still happening at random times. Working with TAC....
But in the mean time I have managed to narrow the issue down by looking at debug logs from CPPM, logs form LDAP, and packet capture from CPPM server. There are a couple of things that stand out but I am not too familiar with all of the concepts... Just throwing it out here to see if this rings any bells for anyone.
1- First of all, my LDAP engineer confirmed that he is getting the LDAP query from clear pass for the failed request. He also sees the LDAP server respond with the query results immediately and with out errors. But clear pass still failed after a 10 minute delay.
2- Secondly, at the exact same time of that clear pass sends the failed request message to access tracker... The packet capture also shows a TCP reset initiated by clear pass at the same time that the LDAP query is sent out by CPPM.
My LDAP engineer mentioned that in the past he has seen a similar issue with servers that use "Java based pools". Does this ring a bell to anyone? I don't remember reading about this in the CPPM user guides but that sounds like an internal thing.