new SITPARM called XPTKT.

This new option by default is set to YES - 

https://www.ibm.com/support/knowledgecenter/SSGMCP_5.4.0/reference/sit/dfha2_xptkt.html

Release : 16.0

Component : CA Top Secret for z/OS

You would want the default of XPTKT=YES.  In this case as the IBM doc. states a security call for the signed on
user will be driven for PTKTDATA(IRRPTAUTH.applid.userid).  

If  the SIT XPTKT=NO, then the same security call will issued under the CTS region control acid and if that acid has bypass
attributes such as NORESCHK, then for example anyone can generate a passticket for any application.