The CSRF protection is handled by sfForm
class, it has nothing to do with sfFormDoctrine
. The secret should get generated for you, but if you have problems you can pass it as a third argument to your form's constructor:
$form = new ObjectCollectionOuterForm($defaults, $options, $CSRFSecret);