After the upgrade of the ACS Solution Engine to 4.0, under External User Databases > Database Configuration, the RSA SecurID Token Server is no longer a selected field. If this was previously configured, RSA SecurID Token Server(s) can be viewed under List All Database Configurations, but they cannot be deleted.
Also, if you added the RSA SecurID Token Server to the External User Database in a previous version of ACS, mapped it to a group, and selected this database in the Unknown User Policy, then, after the upgrade to ACS 4.0, the RSA SecurID Token Server is still displayed. Ideally, it is deleted from everywhere inside the External User Database and not just from the Database Configuration.
Moreover, the configuration in the RSA SecurID Token Server is ideally placed in the RADIUS Token Server after the upgrade to 4.0.
This issue is documented in Cisco bug ID CSCeh73803.
The RSA SecurID Token Server feature has been removed in Cisco Secure ACS Solution Engine versions 3.3.2 and 4.0.
The only current workaround available is to downgrade the software version to 3.2.