Regarding the #1, the A2A client cannot be at a newer release than the PAM manager. The A2A client can be at a lower release.
Regarding the #2 and #3, it is the same version as the Credential Management version in the corresponding PAM server release.
In order to check the version of the Credential Management on the PAM server, catalina.out will show like the below logs that can verify the version.
7 26, 2018 1:59:58 午前 com.cloakware.cspm.server.app.ApplicationImpl a
INFO: ApplicationImpl.initialize Finished PA startup on <IP ADDRESS> (<FQDN OF THE PAM SERVER>) appClustering=OFF dbClustering=OFF externalSyncUnlocked=NO
7 26, 2018 1:59:58 午前 com.cloakware.cspm.server.security.PatchAuthenticator init
INFO: PatchAuthenticator.init Maximum client/proxy version allowed is 22.214.171.124
The catalina.our can get from the below place.
Configuration >> Diagnostics >> Diagnostic Logs >> Download tab >> "Download" button at the right of the "Tomcat:".