From the CICS documentation we can read:
User IDs and passwords specified in the CESN transaction are translated to uppercase, ignoring the setting of the UCTRAN attribute.
However, if support for mixed case passwords is active in the external security manager, CICS saves the value of the UCTRAN option and temporarily sets it to UCTRAN(NO) while the user is prompted to enter a userid and password.
CESN then uppercases the userid but leaves the password in the case entered by the user.
When the CESN transaction completes, the UCTRAN attribute is restored to its original value. If the user disconnects from the terminal before the CESN transaction has completed, the terminal might be left with the UCTRAN(NO) attribute set.