User logs on using RSA token, if the 1st server is not reachable, we're seeing a 5 sec time-out followed by 4 retries, so 20secs in all before it moves on to the next server in the list.
If the next server is also not reachable we only seeing a 1 sec timeout with no retries before it moves on to the next server.

Does this have anything to do with the MAINARGS DD, /usr/maastc    5?

We've also noticed this behaviour happens for every logon which implies it's not remembering the status of the servers.
We have SDSTATUS_LOC=/usr/maastc/JAStatus1.1. Is this not used to remember the RSA server status so it doesn't repeat the 20sec delay mentioned above?

Release : 16.0

Component : CA ACF2 for z/OS

The behavior you are seeing is consistent with the MAINARGS. It is looking for the path where rsa_api.properties is located and the number of consecutive signon failures that must occur before CA Advanced Authentication Mainframe checks if all RSA servers are down. The time in between tries is defined int he sdconf.rec file created by the RSA administrators, under maximum time between each retry as per settings in Agents > Generate Configuration File.

SDSTATUS_LOC is the location of the file that will be generated for authentication attempts. From what I can tell in RSA documentation they maintain a list of available servers and prefer to use the fastest responding ones. However, that would be a question for RSA to respond to.