After upgrade to TS 5.6, transactions that were supposed to use Non-Terminal Default userid, started using Terminal Default userid.

Release : 16.0

Component : ACF2 for z/OS

The SEQVFYFREQ SIT parameter was made obsolete starting CICS TS v5.4. 
This parameter makes CICS perform a full signon to ACF2 once per day for each userid that requires password validation for CICS web support. 

In the earlier version of CICS (v5.3) this parameter was set to "NEVER", so CICS never performed a full sign-on. 
Since the SEQVFYFREQ parameter was made obsolete, CICS always performs a full sign-on with AFC2 once per day for all such userids.
  ( See resolution for detail on how to fix this anomaly )

Research suggests this is not an ACF2 condition rather a CICS TS5.6 condition.
IBM has provided the solution in PTF UI78617 

PTF UI78617 seems to correct this CICS user domain behavior and no longer causes the default or region userids to get replaced. 

 Explanation  ::

CICS assigns a user token to every userid.
DFTCICS is the CICS default userid and is normally the first userid to be registered and hence it gets assigned the first token "00000001". 

A bug in CICS TS5.6 causes it to make the DFTCICS userid stale/unusable and replace it with a duplicate DFTCICS id and assign it a new user token.

Additionally, the SEQVFYFREQ SIT parameter was made obsolete starting CICS TS v5.4. 
This parameter makes CICS perform a full signon to ACF2 once per day for each userid that requires password validation for CICS web support. 

In our earlier version of CICS (v5.3) this parameter was set to "NEVER", so CICS never performed a full sign-on. 
Since the SEQVFYFREQ parameter was made obsolete, CICS always performs a full sign-on with AFC2 once per day for all such userids.

The web transactions are assigned the DFTCICS userid initially and ACF2 overrides it with the NON-TERMINAL userid ( application/user-specified id in ACF2 parms). 
When CICS performs a full sign-on for DFTCICS to AFC2 (due to SEQVFYFREQ parameter being obsolete) a duplicate entry for DFTCICS is registered and assigned a new user token due to a bug mentioned earlier.

The original CICS default userid DFTCICS was assigned a token "0000001" and  later replaced with a duplicate entry with a new token "0000005A" assigned to it. 

When this happens, ACF2 is fooled into assuming that the duplicate DFTCICS userid is just another userid that was sign-on to ACF2 and not the default CICS userid and does not proceed to override it with the NON-TERMINAL default userid. 

Hence, web transactions continue to run under DFTCICS causing security violations and resulting in the DFTCICS ID getting suspended.

This is not an ACF2 condition.

See
APAR  PH40792
Applicable component levels     R300 PSY UI78617
UI78617  -- UNEXPECTED DFHUS0200 MESSAGE FOR REGION USERID OR DEFAULT USERID