Policy Server 12.8SP3 on RedHat 7;

1. If Policy Server uses the same Policy and Key Stores, then the
   EncryptionKey value should be the same.

   Here are some guidance notes :

   Adding A Second Policy Server Pointing To The Same Policy Store and Key Store
   https://knowledge.broadcom.com/external/article?articleId=127169

   Further reading :
   
   Step 2: Install and Configure the Parallel Environment

     To maintain single sign-on with a common key store, all Policy
     Servers must use the same encryption key. If you do not know the
     value of the encryption key, reset the value in the policy
     store. Use the new value when installing the Policy Servers.

   https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/upgrading/parallel-upgrade/step-2-install-and-configure-the-parallel-environment.html

   Common Key Store Requirements

     Verify that all Policy Servers use the same encryption key. If
     you do not know the value of the encryption key, reset the r12.x
     value in the policy store. Use the new value when installing a
     12.8.03 Policy Server.

   https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/upgrading/parallel-upgrade/step-1-determine-the-key-store-option/common-key-store-deployment.html

2. You should ensure that the Policy Store with 12.52Sp1 objects are
   completely healthy, by following these requirements from
   documentation :

   Correct Integrity Errors of Policy Store

     CA Single Sign-on features strict policy store validation checks
     that prevent you from upgrading older policy stores with integrity
     errors. Before you upgrade, correct the integrity errors of your
     existing policy store.

   https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/upgrading/correct-integrity-errors-of-policy-store.html

   You should set only 1 Policy Server to roll the keys if you have
   dynamic agent keys.

   Common Key Store Requirements

    Select a single Policy Server to generate dynamic Agent
    keys. Disable Agent key generation for the remaining Policy
    Servers.

   https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/upgrading/parallel-upgrade/step-1-determine-the-key-store-option/common-key-store-deployment.html

   and

   Separate a r12.x Key Store from a Collocated Policy Store

     Disable dynamic agent key generation in the r12.x environment.
     If your environment uses static keys, this step is not
     required. However, a CA Single Sign-On administrator cannot generate a
     random agent key after you export the keys from the policy store.

   https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/upgrading/parallel-upgrade/step-1-determine-the-key-store-option/common-key-store-deployment.html
   
3. See the answer on point 2 above.

4. We invite you to read carefully the Upgrade entire section from the
   documentation about this question :

   Upgrading
   https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/upgrading.html

   More, in order to avoid to face complications due to your specific
   environment, we strongly invite you to engage our Services
   department in order to benifit from their experience in environment
   upgrade and they will help you to build an upgrade plan before
   going live.

      CA Services (now HCL)
      https://www.broadcom.com/support/ca/services-support/ca-services