So I suppose that when you access the services you meet the different criteria of your APM policy:
-> Basic auth for AS
-> NTLM for OA
Then the SSO triggers based on your initial authentication when accessing the APM policy.
If user change his pwd during AS session (example), He will send his old pwd to Exchange AS, it will cause disabling SSO in the APM session. since you are connected to your session, it does not ask you to authenticate until timeout.
You can reduce APM Timeout session or if it is possible to make an irule that allows to delete the current session if the SSO fail. This will reinstate the session and the pwd will be requested again...
Regards