new SITPARM called XPTKT.
This new option by default is set to YES -
https://www.ibm.com/support/knowledgecenter/SSGMCP_5.4.0/reference/sit/dfha2_xptkt.html
Release : 16.0
Component : CA Top Secret for z/OS
You would want the default of XPTKT=YES. In this case as the IBM doc. states a security call for the signed on
user will be driven for PTKTDATA(IRRPTAUTH.applid.
If the SIT XPTKT=NO, then the same security call will issued under the CTS region control acid and if that acid has bypass
attributes such as NORESCHK, then for example anyone can generate a passticket for any application.