Use PingIdentity for the purpose of using tokens between servers instead of passing around userIDs and passwords with CA ACF2.
Release : 16.0
Component : CA ACF2 for z/OS
In order to use an advanced authenticator(PingIdentity) ensure that the authenticator can use RADIUS. If the advanced authenticator uses RADIUS then install CA Advanced Authentication Mainframe(CA AAM), which is licensed for users of CA ACF2. Configure the RADIUS server to accept requests from the z/OS system that CA AAM is running on. Ensure the z/OS system can communicate with the RADIUS server. CA ACF2 would be a client of the RADIUS server which will contact PingIdentity for authentication.
Documentation on installing AAM
Documentation on how to Configure RADIUS