Startup CA OPSMVS and CA ACF2 but CA ACF2 does not get fully activated before a command is issued from CA OPSMVS and the following CA ACF2 message is issued: ACF01004 LOGONID +xxxxxx NOT FOUND ; how is this resolved? And where does the "+" sign come from?

The ACF01004 LOGONID +xxxxxx NOT FOUND is issued because CA ACF2 is not fully active to complete the verification process.  It is recommended that CA ACF2 be fully operational before you begin starting products such as CA OPSMVS.

By MVS/RACF convention, userids beginning with a plus sign ('+') are reserved for use by 'system tasks', such as MASTER and CONSOLE.  

In an ACF2 environment, the use and convention of these logonids remains (as that's how the MVS tasks init themselves), but the use of such LOGONIDs is not restricted to only these system tasks.   

When RACROUTE REQUEST=VERIFY,ENVIR=CREATE,PASSCHK=NO calls are issued for such LOGONIDs, ACF2 processes them as system tasks.  The result is a valid ACEE, which addresses (for performance reasons) a 'dummy' ACUCB/LIDREC for the address space LOGONID.  

The CA recommended solution is to create a CAISEC00 member in the system PARMLIB to automatically start ACF2 after security subsystem initialization to ensure that ACF2 starts before any other started tasks.  There are a handful of exceptions like MASTER, DUMPSRV, CONSOLE, SMF, and a few other system tasks that do start before ACF2.  The CAISEC00 member can point to another CAISECxx member.  The CAISEC00 or CAISECxx member then specifies:

ACF2 (00 START)

which starts ACF2 and points to member CAIACF00 that contains the ACF2 startup parameters. 

This is documented in the ACF2 Installation Guide in Chapter 5 (Starting Your Product) under "CA ACF2 System Initialization."