Using Gen Transaction Enabler with Gen C servers and using the WRSECTOKEN exit in our C Windows Client.

A Gen C server imports a large group view of 999 entries containing various large strings.
if there are only a view rows in the group view, everything works. A larger amount of data results in receiving truncated security data on the server.

What are the size limits of a Common Format Buffer (CFB) request?
What is the allowed security token length?

1. The Common Format Buffer (CFB) limit is approx. 16 MB (16777215 bytes)
It was increased from the long-standing limit of 32K back in Gen 8.5.
The 16 MB limit applies to most but not all Gen application types/platforms.
The Gen Transaction Enabler and C servers support the 16 MB CFB limit.

2. For the token length security exit WRSECTOKEN, here is the Gen 8.6 User Exits doc. page: WRSECTOKEN - Client Security Token User Exit (Windows)
These points discuss the maximum length of the token in relation to the size of the CFB being used:
===
*tokenLen 
On input, tokenLen is a pointer to a long integer field that contains the maximum length of the allocated token character buffer. The maximum token length depends on the available space remaining during the construction of the CFB.
On return from the exit, the long integer pointed to by tokenLen must contain the actual length of data that is returned in the character array, which is pointed to by the token argument.
...

Note
If messages exceed the 32K limit, this exit calculates the length considering a maximum length of 16777215 bytes and then truncates the result to a maximum of 32768 bytes as this is the length that is allowed by the generated code for the security token.
If you do not exceed the 32K limit, the maximum length remains the same as 31900 bytes.
===

3. Additional information to clarify #2 further:
===
1a. If the Import view size of a server PStep does not exceed the 32K limit, the maximum length of the token is 32768 bytes minus the actual length of the import views. 
b. If the Import view size of a server PStep exceeds 32K (using a 16 MB CFB), the maximum length of the token is 32K. Thus when using a 16 MB CFB, to enable a maximum token length of 32K a dummy import view must be added to ensure the views exceed the 32K limit.
c. Any token whose length exceeds the maximum length will be truncated.
 
2. On input, the WRSECTOKEN exit initializes the tokenLen to the maximum available length (per the above criteria) so the user can check there if the token to be used is within that limit and potentially return a SecurityError if it does not.
===

NOTE: The current design evolved from when the CFB was limited to 32K and when the extension to 16MB was implemented it needed to ensure there was no regression impact on existing applications still using 32K CFB. The design in its current form cannot be easily changed and an enhancement would be needed.
A new idea (enhancement request) was created by the user on the Broadcom Ideas Community: Provide sufficient security token space in all cases