The common technique for restricting ssh capabilities is to change the user's default shell (the "default program" in the OMVS segment) to a shell that only allows certain commands and no interactive access. The sample script below can be customized and used as the user's "restricted shell". Put this script somewhere in your Co:Z bin install directory and make its permissions u=rwx,go=rx (i.e 755). Use the full path name of the script as the users shell. Make sure that the script uses full path names. You can remove the dspipes.sh entry from the list if you don't want to allow remote Dataset Pipes commands via ssh.

#!/bin/sh
# A shell script which can be set as a users default shell
# to only allow certain commands or ssh subsystems to run,
# disallowing full shell logins.

if test $# -ge 2 -a "$1" = "-c"
then
 case $2 in
 # Update this list to match what you have in /etc/ssh/sshd_config
 # or add any other commands that you would like to allow
 # from ssh.
 /opt/dovetail/coz/bin/sftp-server.sh) exec $2;;
 /opt/dovetail/coz/bin/dspipes.sh) exec $2;;
 *);;
 esac
fi

# Write out whatever messages you want your users to see
# if they try something else
echo "Only sftp and dataset pipes file transfers are allowed from this account."
exit 1

Note: this will not only restrict the user from using an interactive shell under OpenSSH, but will prevent them from running an interactive shell under TSO as well. Also, any batch jobs that run with their userid will also use this as the default Unix shell (BPXBATCH or COZBATCH).