We have got smart cert as our primary auth and LDAPS as secondary even though after logging in to vpn the user is prompted for his password expiration but he cant change it, except only on the last day or he can do it manually by going to prefences is there any way that can be changed .
No; that is expected. The warning is there to let users know they will need to change the password either through the preferences pane prior to expiration, on the physical network, or on the day of final expiration.
You can use custom sign-in pages. See this post: https://forums.pulsesecure.net/topic/pulse-connect-secure/28732-password-change-via-custom-pages#M55....