You cannot use Dynamic Seed Provisioning to distribute software tokens to devices running the VPN version of the RSA SecurID Token application.

The IT policy requirement is as follows:

Specify a server URL for downloading tokens  through Dynamic Seed Provisioning (CT-KIP) so that users do not have to enter the URL in their BlackBerry devices  to import a token. Strings can contain up to 200 characters.  For example, below are the CT-KIP credentials (for the last token distribution by CT-KIP):

1. The RSA Software Token for BlackBerry token import fails during the first attempt using the CT-KIP download and works fine the second time. The release notes for RSA Software Token 3.0.2 for BlackBerry describes this behavior in the 8700 model. However, this has been noted in other newer models too. This has been resolved in RSA Software Token 3.5 for BlackBerry.
2. Download RSA Software Token 3.5.1 for BlackBerry.  You can download RSA Software Token 3.5 for BlackBerry devices directly to the BlackBerry device by clicking here. 
3. Automatic download of a token to a device using CT-KIP works only one time. If a token is deleted and you try to import the new token, the RSA token application must be launched and the Import Token option should be used.
4. If there is a problem in downloading application, verify you can launch www.google.com and www.yahoo.com from the same device. Verify that the third-party software installation is allowed on the device. This is disabled on BES server in IT policy.
5. CT-KIP requests can be configured with http as well. (default request URL works with https). The http URL can be mentioned on BES server IT policy.
6. The Service Address URL should be sent to end users by email.