After a password is changed, the user must be logged out of application (i.e. JBossSX cache flush). If your UI is web-based, this usually can occure by invalidating the web session. Is this step happening? You can verify what principals are in the cache via the jmx-console (mbean: jboss.security:service=JaasSecurityManager).
After changing the password user is not logged out( i am not invalidating the session).
But i manually logged out, and i can login with old password.
is any configeration to jboss, so that it always picks the password from database? not from cache?