Users obtain an IBM CTC token (essentially an 8-character password replacement) that is valid for a single use (MFPOLICY REUSE=NO). They enter the CTC token in the password field during logon instead of a password.
This works with most applications, such as 3270 TSO, CICS logons, etc.

Users also log on to off-host applications such as SAS Connect, WebFocus or CICS Explorer using their mainframe userid and a CTC token.  The logon is done on their workstation using the off-host GUI. The application then attempts to log the user onto the mainframe using the CTC token. Top Secret fails the user with error code 08-09, invalid password because the CTC token is only valid for a single use.  

The SPAWNER initiated two MFA signon requests using the CTC token twice. 
The tokens are only good for one signon.
This needs to be corrected by the manufacturer of the SPAWNER.