Signing on using IBM MFA with Top Secret fails if the user's password is expired with a:
TSS7057E Invalid SecurID passcode for CA|IBM RSA controlled user
Not using the Factor provided by Broadcom's Advanced Authentication Mainframe (AAM).
Release : 16.0
Component : CA Top Secret for z/OS
Currently the only Factor that supports password expiration and changing of password with Top Secret is provided by Broadcom's AAM.
Please contact support for Enhancement fix ST15154.