After doing a TSS REVOKE for a DB2PLAN, the user is still authorized to access the DB2PLAN. Signing off and on or issuing a TSS REFRESH for the ACID doesn't help.
Per the DB2 v11 Technical Overview:
10.1.2 Refresh DB2 cache entries when RACF permissions change. Previous to DB2 11, when DB2 caches are enabled and RACF permissions change in RACF, then the package authorization cache, routine authorization cache and dynamic statement cache are not refreshed to reflect the change. To refresh the cache entries, SQL GRANT and REVOKE statements have to be issued or, to invalidate the entry from dynamic statement cache, RUNSTATS utility has to be executed. Chapter 10. Security 243 DB2 11 introduces the capability to refresh the DB2 following cache entries when access control authorization exit is active and RACF permissions change:
Package Authorization cache
Per the above IBM documentation, DB2 is caching it's security calls, so it doesn't have to issue a external security call to security. It saves I/O and CPU when it doesn't have to call.
Since the DB2 cache is not a CA Top Secret cache, CA Top Secret will not be able to refresh it.
DB2 must provide the functionality to refresh the cache.