After upgrade TOMCAT server, none secure port connection to Mainframe Application Tuner(MATUNE) server has no problem but secure port connection getting error:

com.ca.mat.connect.ServerConnect connectSecure

WARNING: Exception EDC8128I Connection refused. (Connection refused) detected while executing cmnd=check&epassw=-xxxxxxxxxxxxxx&use########&user=x###

TOMCAT server r9, Z/OS

web.xml setting for <auth-constraint /> to check security.

web.xml setting shows,

  <!-- CCS Tomcat 9.0.14 - The HTTP methods below will be disabled   -->
    <security-constraint>
        <web-resource-collection>
            <web-resource-name><strong>unrestricted methods</strong></web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>DELETE</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>PUT</http-method>
            <http-method>POST</http-method>
            <http-method>TRACE</http-method>
        </web-resource-collection>
        <auth-constraint />
    </security-constraint>

  <!-- CCS Tomcat 9.0.27 - Enables the other HTTP methods not listed -->
    <security-constraint>
        <web-resource-collection>
            <web-resource-name><strong>unrestricted methods</strong></web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method-omission>DELETE</http-method-omission>
            <http-method-omission>OPTIONS</http-method-omission>
            <http-method-omission>PUT</http-method-omission>
            <http-method-omission>POST</http-method-omission>
            <http-method-omission>TRACE</http-method-omission>
        </web-resource-collection>
    </security-constraint>

The  <auth-constraint /> (authorization constraint ) contains the role-name element which is defined within the tomcat configuration to authorize the user. 
For MATUNE use  case,  the authentication and authorization is done with mainframe security.

Remove <auth-constraint /> from the web.xml  and restart the TOMCAT  server.