The CICS® Configuration Manager client (the ISPF dialog or the batch command interface) and CICS Configuration Manager server can be on different systems, but they must use the same external security manager database, such as a RACF® database. This is because the client may generate a PassTicket, and then send it to the CICS Web Interface that is used by the server.
If the security database used to generate the PassTicket and the security database used to authenticate the PassTicket are different, then the authentication may fail, and the CICS Web Interface will deny the client access.
For more information about PassTickets, see z/OS®: Security Server RACF Security Administrator's Guide.