Policy Server 12.8SP3 on RedHat 7;
1. If Policy Server uses the same Policy and Key Stores, then the
EncryptionKey value should be the same.
Here are some guidance notes :
Adding A Second Policy Server Pointing To The Same Policy Store and Key Store
https://knowledge.broadcom.com/external/article?articleId=127169
Further reading :
Step 2: Install and Configure the Parallel Environment
To maintain single sign-on with a common key store, all Policy
Servers must use the same encryption key. If you do not know the
value of the encryption key, reset the value in the policy
store. Use the new value when installing the Policy Servers.
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/upgrading/parallel-upgrade/step-2-install-and-configure-the-parallel-environment.html
Common Key Store Requirements
Verify that all Policy Servers use the same encryption key. If
you do not know the value of the encryption key, reset the r12.x
value in the policy store. Use the new value when installing a
12.8.03 Policy Server.
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/upgrading/parallel-upgrade/step-1-determine-the-key-store-option/common-key-store-deployment.html
2. You should ensure that the Policy Store with 12.52Sp1 objects are
completely healthy, by following these requirements from
documentation :
Correct Integrity Errors of Policy Store
CA Single Sign-on features strict policy store validation checks
that prevent you from upgrading older policy stores with integrity
errors. Before you upgrade, correct the integrity errors of your
existing policy store.
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/upgrading/correct-integrity-errors-of-policy-store.html
You should set only 1 Policy Server to roll the keys if you have
dynamic agent keys.
Common Key Store Requirements
Select a single Policy Server to generate dynamic Agent
keys. Disable Agent key generation for the remaining Policy
Servers.
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/upgrading/parallel-upgrade/step-1-determine-the-key-store-option/common-key-store-deployment.html
and
Separate a r12.x Key Store from a Collocated Policy Store
Disable dynamic agent key generation in the r12.x environment.
If your environment uses static keys, this step is not
required. However, a CA Single Sign-On administrator cannot generate a
random agent key after you export the keys from the policy store.
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/upgrading/parallel-upgrade/step-1-determine-the-key-store-option/common-key-store-deployment.html
3. See the answer on point 2 above.
4. We invite you to read carefully the Upgrade entire section from the
documentation about this question :
Upgrading
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/upgrading.html
More, in order to avoid to face complications due to your specific
environment, we strongly invite you to engage our Services
department in order to benifit from their experience in environment
upgrade and they will help you to build an upgrade plan before
going live.
CA Services (now HCL)
https://www.broadcom.com/support/ca/services-support/ca-services