You can refer to https://ask.openstack.org/en/question...
Keystone is in the process of finalizing OTP. Most probably it will be available in kilo release ( next release)
https://review.openstack.org/#/c/130376/
Update 1:
None of the services require any change. All the services operate on token and the roles assoicated with token. As long as you pass a valid token to the service, it will work. It doesn't matter how you got the token.
Pluggin is just an implementation of a interface. Look at Pasword auth at https://github.com/openstack/keystone... . Similarly you need to add one more class say OTPAuth and override the authenticate method to validate the OTP.
Next step is to register your class in the configuration file. Check the following line: https://github.com/openstack/keystone...
Similarly you need to register your OTP class there