It sounds like after the password is reset with a temp password that the user is trying to login to your application where the application is using its own self hosted widget?
If so this should work and the user should go through the reset flow from your self hosted widget.
One scenario I can think of where a user would be redirected to the Org login is if the Org has the security question feature enabled and this is a new user that has not set the recovery answer yet. This can only be done from the Okta hosted page.
Does this happen with both existing users who have logged in before and new users?