PPM itself doesn't use OpenSSL, however it is common in PPM Production environment to deploy an Apache Web Server in front of PPM and leverage OpenSSL in this Apache Web Server to provide HTTPS.
So PPM itself is not affected, however your Apache Web Server is if it's configured to use a vulnerable version of OpenSSL (1.0.1 to 1.0.1f). If you are using a version of OpenSSL earlier than 1.0.1, you are not impacted by the vulnerability. If you are using a vulnerable version, you should upgrade as soon as possible to 1.0.1g.
It is up to your administrators to take follow-up actions after upgrading to the latest version (re-generate SSL certificates, or even re-issue passwords for all PPM users, etc), though the risk of PPM leaking password information should be considered limited if you don't use SSO, i.e. if the authentication is NOT done at the Web Server level, and that PPM Server and Apache Server are not located on the same physical machine (if I'm correct, the vulnerability in Heartbleed gives an attacker arbitrary memory access to the machine where OpenSSL is running, so if PPM is on a different machine, they will only have access to information stored in the memory of the Server hosting Apache+OpenSSL. That being said, I cannot tell how much information regarding PPM authentication data will Apache store in its memory).
Considering the severity of this vulnerability and the (justified) concerns it raises in the PPM customer base, I think you should expect a more formal communication from HP about that topic in the coming days.