You should not only be concerned about PROD clients. Actually, you should also be concerned about communication partner systems (DEV, SOLMAN, etc...).
SAPCPIC you can 99% of the time simply delete as long as you are not using it. When analyzing the usage, you sometimes find misuse...
TMSADM outside of 000 depends on your transport setup. The routes might be client dependent? But 99% of the time it is just the CUA which distrubuted the user to everywhere. Most important is the standard profile assigned only and the domain controller on a secured high availability system, before you create your own domain password for it (that will be the same everywhere anyway and saved into the RFC clients anyway...).
Cheers,
Julius