Your session must get to "Allow" or "Redirect + Allow" state in order to pass APM and be allowed to the pool. Watch the logs (/var/log/apm) carefully while you're testing your Access Policy logic.
As you've found, you can't present a link during access policy evaluation to get back into the access policy again, because APM assumes that your session (with the cookie you have) is currently processing and not yet complete. Don't do a link. Instead, just allow the user to get all the way to the end for the "resetpw" case, assign a restrictive ACL that only allows the "resetpw" functionality, and use an allow+redirect ending.
Of course you can get around anything using irules, but for a simple situation like this it would be better to use just access policy items to do it.