The ldap-realm.otp-credential-mapper.seed-from attribute in Elytron subsystem refers to an LDAP attribute which stores an OTP seed. The LDAP-attribute value currently has to be Base64 encoded, which seems to be wrong.
The problem is in the Elytron class org.wildfly.security.auth.realm.ldap.OtpCredentialLoader which handles the encoding/decoding.
The OTP RFC 2289 says
I.e. There is no need to Base64-encode the String bytes.
Don't encode/decode the LDAP attribute value.