Administrators and security operations teams may be concerned with how the OAUTH tokens are stored in the OTK Database regarding the ability for bad actors to perform malicious activities such as intercepting and cross-site schemes. 

Release : 9.4 and 10.x

Component : CA API Layer 7 OAUTH Toolkit

OAUTH tokens do not require encryption in the OTK database because they are random UUID's generated as opaque tokens and not related to any identifiable client info.

The OAuth 2.0 Authorization Framework

You can search for the word Opaque in this reference material for a deeper understanding.

https://tools.ietf.org/html/rfc6749

Opaque Token

An opaque value used by the client to maintain state between the request and callback.  The authorization server includes this value when redirecting the user-agent back to the client.  The parameter SHOULD be used for preventing cross-site request forgery

OAuth Request Scenarios

https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-4/oauth-request-scenarios.html