BPX.SERVER is necessary when you want to use the BPX callable service pthread_security_np(). A server that uses the pthread_security_np() service can customize the RACF identity of a thread. Such server initiates a thread that processes the client's request. If the server customizes the thread initiated for the client with the clients' RACF identity,any resource access decisions to RACF-protected resources are made using the client's RACF identity and authorizations
CSM uses this function when it instantiates a new thread under logged user credentials. Actual CSM tomcat runs under different ACID than logged user has hence when CSM is supposed to allocate DATASET or does an SMP/E operation in context of logged user it must create a new thread within the server address space. CSM has to call pthread_security_np() to instantiate new thread with different (user's) security context.
Access to the facility BPX.DAEMON is not required by CSM. It is required only for the ID installing CSM and can be revoked once the installation is complete.
For additional information on access requirements, for the CSM Tomcat Server and access requirements for the installer of CSM, please see the CSM Install Guide.