In APIM when the subscriber creates an application and generates a key in identity component it will generate an appropriate OAuth application. When an application is added it will contain the consumer key and consumer secret. These values are also shown in the store application. And those are used to generate or renew token later using store UI or token endpoint.
But these application credentials is a constant for the entire life cycle of the application and it can be destroyed only if an application is deleted. That means there are no any way to change the consumer secret of the application.
Usage of changing a consumer secret is, some time organization need to invalidate current token and regenerating those token for that application. A possible solution would be changing this consumer secret only. But up to APIM 2.0.0, this was not possible. But APIM latest version(2.1.0) this feature is available.
Admin users can change the consumer secret of any OAuth application my login into the management console of Auth components are available(APIM or IS). Once consumer secret is revoked all the associated tokens are invalidated and the cache is also get cleared. Thus it prevents API invocation for that access token as well as it prevents to token re-generate for that application. Once a consumer secret is revoked OAuth application also get invalided and it is inactive. But this behavior will be affected to the API subscription and still allowed to subscribe to the API in APIM store. Also if an OAuth application is revoked it is impossible to regenerate token using store UI or token endpoint. Even though consumer secret is revoked it is not get removed from the OAuth application and store will show the same value further.