It is required to introduce SSL for a Gen Classic Java Proxy based web app that connects to the Gen TIML running under CICS.

Ideally before implementation, it would be preferable to be able to keep the same ports to reduce the amount of configuration required.
However, those ports are also used for non-SSL traffic that may originate from another web app that is not in scope for this change.
Do we need all new ports in CICS for SSL or can there be a mixture of SSL and non-SSL traffic coming into the same region/port?

The relevant Gen 8.6 doc. page for java proxy connecting to Gen CICS TIML via SSL here: Java Proxy for Secure CICS > Preparing for Execution of Secure Java Proxy Application Targeting CICS

Per above:
===
z/OS Configuration
Configure IPSec for the TCP/IP Stack used by the Gen Server to specify the options for ttls.policy. Indicate where the HandshakeRole is done (Server), specify the Certificate that is used and the location of Keyring.
No changes are required to the CICS Direct Connect TCP/IP Listener.
A successful configuration lets you identify the secure port.
===

The TIML is a CICS Listener so it falls under what is limited by CICS Sockets.
So, referring to IBM doc: z/OS 2.4.0 > z/OS Communications Server > Abstract for Comm Svr: IP CICS Sockets Guide

Using "Download PDF" option (https://www-40.ibm.com/servers/resourcelink/svc00100.nsf/pages/zOSV2R4Library) download the "z/OS Communications Server: IP CICS Sockets Guide" - halc001_v2r4.pdf

In section "Application Transparent Transport Layer Security" (AT-TLS) on page 133 it states:
===
If a CICS listener is AT-TLS enabled but the client does not use SSL, there is a mismatch; AT-TLS receives
unencrypted data when it is expecting encrypted data. In this case, AT-TLS resets the connection. See the
Application Transparent Transport Layer Security (AT-TLS) topic in the z/OS Communications Server: IP
Configuration Guide for information regarding defining keyrings, client certificates, mapping them to user
IDs, permitting users access to keyrings, and other AT-TLS details.
===

Therefore separate ports and corresponding TIMLs would be needed for SSL and non-SSL connections.
There is also this KB article: Multiple instances of Gen CICS Listener (TISRVMSL/TIML)
Per the article a customer was planning to use multiple TIMLs to handle SSL and non-SSL connections using different ports in the same CICS region and that requires a unique transaction identifier for each TIML instance.

Gen Engineering also confirmed they routinely use 2 separate ports/TIMLs for testing SSL and non-SSL connections in-house.