Signing on using IBM MFA with Top Secret fails if the user's password is expired with a:
TSS7057E Invalid SecurID passcode for CA|IBM RSA controlled user
Not using the Factor provided by Broadcom's Advanced Authentication Mainframe (AAM).
Release : 16.0
Component : CA Top Secret for z/OS
Currently, the only Factor that supports password expiration and changing of password with Top Secret is provided by Broadcom's AAM via enhancement fix SO16294.