Step1: Install QWS3270Plus (For "TN3270" you must use QWS3270plus and not QWS3270Secure or the connection will fail)

Step2: Create device for your mainframe (in this sample, it is "Mainframe")

Step3: Create target application

Application Type is "IBM i"

Once you select this then you will see "IBM i" tab.

As this is "TN3270" connection, SSL/TLS must be unchecked.

Step4: Create target account

Step4: Create TCP Service

In this sample, the mainframe is listening on TCP port 23 so the 

Ports is set to "23:*" to ensure the destination is port 23 and local port will be ephemeral port.
Protocol is "TCP"

Application Protocol must be "TELNET"

Mainframe Protocol is "TN3270" (This sample is only for TN3270)

Client Application is "C:\QWS3270PLUS\qws3270p.exe" <Local IP> <First Port>

Step5: Associate Service with Device.

Step6: Create Policy

Ensure the target account is associated for auto-login.

Now the Access page should display the "QWS3270 NON-SECURE" service.

PAM will inject the user credentials so auto-login works.