Having sesu configured as setuid root, that is rws-r-xr-x, prior to CA PAM SC 14.1 CP07, it was possible to launch sesu -n  from any user to become root without asking for a password (this is the meaning of the -n switch)

However, after upgrading CP07 the same situation leads to the following error message

-n (do not ask invoker password) is not valid when sesu is invoked by a none root user.

This article discusses why this behaviour is different in CP07 and what can be done to achieve the same result

PAM SC 14.1 CP07 and later in Linux

By default, old_sesu is set to "yes" and that is the original sesu mode; When "-n" is in use, sesu is set to new sesu mode on the run (old_sesu = no), the new sesu mode is calling /usr/bin/su internally to do the user surrogate.  This is the user case for "-n" and that is for root user only. 

Prior to CP07 in order for sesu to run, the effective id of the user launching it was verified and, if it was found to be root, the command was launched. This means that since the setuid was set for sesu in the use case depicted in this article, any user could run sesu -n, which resulted in /usr/bin/su to be called without a password

In versions CP07 and later the real id and not just the effective UID is being used before allowing for the command to proceed. This means only the "real" root user will be able to run sesu -n and the rest will be denied access, as observed.

This is working as designed starting CP07

If a regular user needs to call sesu with no password, he need not use sesu -n but he can achieve the same by setting "old_sesu=yes" and "UseInvokerPassword=no" in seos.ini.  In this case the security control is done via the SURROGATE rules