Looking at the Tomcat logs, there is an error about deleting a target account because it does not exist.
The target account and policy related to Threat Analytics were both deleted previously. Even when creating a new target account and policy, the error still occurs.
Other cause: The same error message is observed if the CATapApiUser and its API key (target account) still exist from an old license that was later on replaced by a license w/o Thread Analytics. Either it was done at an old release, when we did not actively remove such artifacts associated with a license option, or someone worked around the problem by using the procedure in KB 96795, bringing the user and key back in when restoring a DB backup. In that case the error may occur when the PAM admin stops the cluster and tries to apply the license while the nodes are in a locked state. This will not work, because the API key cannot be deleted while the CMDB is locked.
PAM 3.3.x and above
Following the steps in the KB below will allow the license to be applied.
After following the KB, the Threat Analytics device and user will still remain. In order to delete them, Support must connect to the appliance and manually delete them.
For the other cause in a cluster: After stopping the cluster, unlock the master node (first node in the primary site), and then delete the CATapApiUser. This should be successful. Start the cluster back up so that the other nodes get the database updated. Then stop the cluster, apply the new licenses and start it again.