On the secondary EEM servers, when eiam-clustersetup.jar -p <primary> is run,  it errors out during the sync portion:

[Authenticate Error: Authentication Failed, Identity Attempted: EiamAdmin]
com.ca.eiam.SafeException: EE_SPONSORERROR iSponsor Error
        at com.ca.eiam.SafeContext.authenticateWithPassword(SafeContext.java:1683)
        at com.ca.eiam.clustersetup.FailoverUtility.fetchServerConfiguration(FailoverUtility.java:31)
        at com.ca.eiam.clustersetup.FailoverConfigurator.startSecondaryFailoverConfiguration(FailoverConfigurator.java:921)
        at com.ca.eiam.clustersetup.FailoverConfigurator.performAction(FailoverConfigurator.java:380)
        at com.ca.eiam.clustersetup.FailoverConfigurator.commandPrompt(FailoverConfigurator.java:356)
        at com.ca.eiam.clustersetup.FailoverConfigurator.main(FailoverConfigurator.java:106)

Release : 12.x

TLS 1.2 with strong ciphers was enforced in igateway.conf.   

The Java call that was using EEM SDK to run eiam-clustersetup, that was trying older TLS (1.0/1.1) to connect to the igateway, which was getting denied.

1) As a workaround, remove the  TLSv1_2   and -ALL:HIGH:MEDIUM:!RC4   from the igateway.conf  (see bolded below that we removed)

<secureProtocol>TLSv1_2</secureProtocol>
<cipherlist>-ALL:HIGH:MEDIUM:!RC4</cipherlist>

(https://knowledge.broadcom.com/external/article?articleId=74517) 

2) Save the file, bounced iGateway

3) Complete the eiam-clustersetup now,  make sure the HA setup now completes fine.

4) You can also do some basic EEM HA test too (add policy on one server,  shows up on 2nd,   delete it on 2nd, gets deleted on 1st)

5) enable TLSv1_2  and strong ciphers in  igateway.conf back  (https://knowledge.broadcom.com/external/article?articleId=74517)

8) Restart igateway,  verify EEM is still good