IBM CMOD passwords are stored in the database as a "one-way cryptographic hash". This is in line with IT security best practices.
For systems that have ODWEK and CMOD on the same server, as long as your web services uses HTTPS, the hash should be secure in transit. For ODWEK and CMOD on different servers, you'd want to verify and validate that the connection between them is either in a trusted network zone, or that the traffic passes through an encrypted connection.
Most IBM CMOD installations have the database located on the same server as the CMOD software itself -- a "local connection". DB2 authenticates the user connecting to the database through the operating system. In systems where the database is remote (which is specifically NOT recommended, by the way) you are responsible for securing that connection on your own with whatever encryption tools your chosen database engine provides.
-JD.