"Generation PassTicket" is enabled in the TPXADMIN dialog for applications and works fine with the installed crypto card.
Note that the RACF Key definition (PTKTDATA) is stored in the ICSF CKS dataset.

When executing a disaster test, there was an issue because on the DR site there is no crypto card installed.

So when trying to logon to a specific application, the following message appeared: 
"==> Session xxxxx ended - Pass Ticket gen failed <=="


And TPX log displayed:
TPXL0921 xx/xx/xx.xxx xx:xx:xx.xx SESSION START PASS TICKET GENERATION FAILED
        FOR USERID: Uxxxxx   SESSION:  xxxx     APPL PROFILE: xxxxxxx
        REASON CODE:0C Additional HEX INFO:0C0000
        Reason Meaning: ICSF CSNBENC services Failed

Once the PassTicket option is turned off, it is possible to logon. Why did it fail with PassTicket on?           

In order to trouble shoot the issue, first verify that:

1) Is the same SMF id being used in DR?
- Issue the following MVS console command on the DR and PROD systems to display the SMF options:

D SMF,O

Find SID(xxxx)
(xxxx - System ID / SMF ID)

2) Is enhanced PassTicket being used?
- Issue the following RACF command on the DR and PROD systems to display the Passticket profile:

RLIST PTKTDATA xxxx SSIGNON
(xxxx - Profile name coded in ACT entry, under “* Pass Ticket prof name:” field.
Note: it has to come from the correct ACT APPLID entry that it is trying to be connect to.)

If enhanced Passticket is in use, the command output will show something like this:
SSIGNON INFORMATION
-------------------                
Legacy   PassTicket: KEYENCRYPTED LABEL: xxx.SSIGNON.xxxx.xxxxxxxx.xxxxxx.xxxxxx
Enhanced PassTicket: Timeout = xxxxxxxx
Enhanced PassTicket: Replay allowed = xx   


In this case Legacy Passticket is being used, but the SSIGNON-KEY was stored / encrypted in the ICSF.
Legacy   PassTicket: KEYENCRYPTED LABEL: xxx.xxx.xxx.xxxxxxxx.xxxxxx.xxxxxx

Note that regarding Legacy PassTicket, the keys can be stored in:
1). security database,
or
2). stored / encrypted in ICSF.

However Enhanced PassTicket, the HMAC keys must be stored in ICSF.


All the keys are encrypted through the crypto master keys in the crypto engine. Without the crypto engines being active, the software copy of ICSF (STC) will not be able to pull the keys and use them.

That’s why the TPX message is correctly showing that the ICSF / Crypto engines need to be active to pull the PassTicket key from ICSF.
Reason Meaning: ICSF CSNBENC services Failed


In this case, the RACF display shows that this PTKTDATA SSIGNON key was stored in the ICSF. Therefore, it is required to have the crypto engines active in ICSF in order to decrypt the keys for general use and to serve the key for Enhance Passticket.