There is a new CICS SIT (System Initialization Table) parameter called XPTKT. The XPTKT option is set to YES by default. How does this parameter work with Top Secret?

Release : 16.0

Component : Top Secret for z/OS

You should use the default of XPTKT=YES. In this case, as the IBM documentation states, a security call for the signed on user will be driven for PTKTDATA(IRRPTAUTH.applid.userid).  

With XPTKT=NO, the same security call will be issued for the CICS TS region control acid. If this ACID has bypass attributes such as NORESCHK, then any ACID can generate a passticket for any application.