This is an optional identification mechanism. It is not an authentication mechanism, but a way to supply a CICS USERID. To use it, you must specify the name of your security program on the URM option of the TCPIPSERVICE definition for the IIOP port. If you do so, your security program is called by the IIOP request processor.
On invocation, the security program is primed with the value defined by the system initialization parameter DFLTUSER (which defaults to CICSUSER), but can override it. Before routing the IIOP request to a request processor, CICS checks with RACF® that the request receiver transaction is allowed to initiate work on behalf of the USERID generated by the security program.
You can write your own program to supply a USERID, or use the sample security program, DFHXOPUS. See Using the IIOP user-replaceable security program.