Hi Steven,
This is really vCO's expected behaviour. The credentials are saved as part of the workflow execution. At resume time the credentials are checked against the authentication provider (LDAP). As far as vCO is concerned, a changed password is indistinguishable from trying to authenticate a non-existent user.
You could try using vCO with SSO. SSO acts as mediator between vCO and the authentication provider and deals with tokens instead of passwords. The nice thing about tokens is that they can be renewed by vCO if necessary so even if the password is changed in the LDAP the token is still valid.
Beware that in SSO mode the password in not available. This could change some of your scenarios because you could no longer integrate with a 3rd party system that supports LDAP only. vCenter and vCloud can work in SSO mode though.