Is it possible to run CA TSS (with one secfile), and have CA LDAP for TSS to make modification in it's own (another) 'secfile' or similar construct, without affecting the security definition actually used on the system? 

Is there some other approach (apart from using test LPAR) that can be used to validate CA LDAP commands (to make sure they are correctly formed and perform appropriate changes) without deploying them to CA TSS?

Top Secret Release: 16.0

Component : LDAP SERVER FOR Z/OS  Release : 15.1

LDAP has no facilities to make modifications to another secfile, and points to the secfile being used by TSS. CA LDAP makes modifications to the secfile exclusively via the CA TSS task and therefore can only impact the secfile which is defined in CA TSS STC.  There is no way to test LDAP without the commands that LDAP generates going to the TSS Secfile defined.