Gen Client:
a. The Configuration/Details of the target server in the Client Manager needs to have the "SSL Socket" flag selected along with the "CICS Sockets Listener" being used.
b. For SSL validation options, the mainframe network/security administrator needs to make the decision of what type of validation is required on the client side i.e. one of the 3 options "Ignore Server Certificate Validation", "Server Certificate Validation", "Server Certificate & Hostname Validation".
Per "SSL Configuration Options", if wanting to validate server certificates (2nd/3rd options above), then the cacert.pem file is used i.e. "During execution, Runtime uses the cacert.pem file to validate server certificates. The cacert.pem file is a bundle of public certificates trusted by the Certificate Authority."
NOTE: The sample certificate file cacert.pem is a text file encoded in Base64 ASCII format so can be viewed in any text editor. It contains a bundle of public CA Certificates from Mozilla certificate data (https://curl.se/docs/caextract.html), so may need to be redownloaded to kept up to date. Also, if CA certificates used by the site-specific SSL Server are not part of that downloaded file then the file will need to be replaced with a new version containing those CA certificates.
c. No other changes should be required on the client side.

Network -  z/OS TCP/IP Stack:
Per "z/OS Configuration" statement "Configure IPSec for the TCP/IP Stack used by the CA Gen Server to specify the options for ttls.policy. Indicate where the HandshakeRole is done (Server), specify the Certificate used and the location of Keyring."
The mainframe network/security administrator needs to setup the TTLS policy. When configuring the TCP/IP stack via the TCP/IP profile data set in the TCPCONFIG statement add the parameter TTLS to enable Application Transparent Transport Layer Security (AT-TLS). Also, provide information on where the AT-TLS policy and the certificate resides.
This is documented in more detail in the IBM z/OS Communications Server: IP Configuration Guide (see Chapter 20. Application Transparent Transport Layer Security data protection)

Gen Server:
No changes are required for the generated Gen servers themselves.
Also per "z/OS Configuration" no changes are required for the Gen CICS TCP/IP Single or Multi-Sockets Listener (TISRVMSL).

Supported SSL protocols:
As of August 2021, the supported protocols are SSLv3, TLSv1, TLSv1.1, and TLSv1.2.
When the SSL support was introduced for the 8.6 Client Manager in June 2018 with PTF CCN86103/SS04179 that came with TLSv1.2 support.
The main CA Gen 8.6 > Technical Requirements page covers this under "Change Summary". See "Support for SSL v3/TLS v1.2 for Client Manager"
The change in that PTF is now part of the Gen 8.6 Complete Release (PTF WKS82000) which is the baseline for all future PTFs (CA Gen 8.6 Solutions & Patches)
See also "SSL, TLS Protocols" documented here under the CA Gen 8.6 > Technical Requirements > General Comments page.