Per IBM CICS documentation:
Your application programs must always check the EIBRESP and EIBRESP2 values returned by the EXEC CICS VERIFY PASSWORD command and not rely on the ESMRESPand ESMREASON codes.
The VERIFY PASSWORD returns the same values of:
EIBRESP (= NOTAUTH), EIBRESP2 (= 19), ESMRESP (= 28). and ESMREASON (zeroes)
If the user's id is suspended or does not have the right FACILITY
There are no other RESP2 code other than the ones documented in IBM documentation:
2 The supplied password is wrong.
3 A new password is required.
19 The USERID is revoked.
Because of this, no distinction can be made.
CA Top Secret is passing back a return code x'1C' to IBM. The CA Top Secret Detailed Reason Code (DRC) will indicate the reason of the failure.
The DRC is not a concept that CICS is aware of, and is unique to CA Top Secret. To determine the specific details of the signon failure a TSSUTIL report or a CA Top Secret SECTRACE would reveal the exact cause of the failure. CICS knows nothing about the concept of a CA Top Secret FACILITY.