I know this is 7 years later - but thought I would post the idea in case some one is Googling for a similar idea.
My recommendation would be to use OTP to create a unique password, and then store that password in a file in the devices local storage. Not great security but neither is using the same password for the device anyway (not saying there are not valid use cases for that however).
Then when you setup/boot the device it can check if the file exists, if it does then read the password from the file. If not then create a new one.
:local mypassword ([ /certificate scep-server otp generate minutes-valid=0 as-value; ]->"password");
MC