The RODC checks the lockoutTime attribute when a logon attempt is started. If the current time minus the lockoutTime value is less than the lockout-duration configured in the security policy, the RODC won't let the user log in.
The GUI tools look at the UserAccountControl attribute—not the lockoutTime attribute—to determine if an account is locked, which is why the GUI tools fail to show the user-account's locked status.
To unlock an account, you need to re-establish read-write DC connectivity. The read-write DC will replicate a 0 lockoutTime value back to the RODC and unlock the account.