To disable TLSv1.1, use best practices for SSL connections.

Use more secure TLS versions to harden the SSL connection.
By default, SSLv3, TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3 are all enabled for SSL proxy traffic. The use of SSLv3, TLSv1.0, or TLS 1.1 is not recommended due to various vulnerabilities in these protocol versions.

SG/ASG/ISG-Proxy

For best security, use the following CPL gestures:

<ssl>
 client.connection.negotiated_ssl_version=(SSLV3,TLSv1,TLSv1.1) force_deny
<ssl>
 server.connection.negotiated_ssl_version=(SSLV3,TLSv1,TLSv1.1) force_deny

Before disabling SSLv3, TLSv1.0, and TLS 1.1, verify that all clients and servers with traffic going through the appliance support TLSv1.2 or later

Use more secure cipher suites to harden the SSL connection.

The appliance uses the first cipher suite offered by a client, even if it is a lower grade. For better security, allow only cipher suites that meet your minimum acceptable level of security. the HTTPS Management Console comes with 22 ciphers enabled. Disable all ciphers that operate in CBC mode and enabling more secure ciphers that operate in GCM, CCM, or stream mode. For example, enable the following list of ciphers:

– tls_aes_256_gcm_sha384
– tls_chacha20_poly1305_sha256
– tls_aes_128_gcm_sha256
– tls_aes_128_ccm_8_sha256
– tls_aes_128_ccm_sha256
– ecdhe-rsa-aes256-gcm-sha384
– ecdhe-rsa-aes128-gcm-sha256
– aes128-gcm-sha256
– aes256-gcm-sha384
– dhe-rsa-aes128-gcm-sha256
– dhe-rsa-aes256-gcm-sha384

In addition, four less secure ciphers are supported (ECDHE-RSA-RC4-SHA, DES-CBC3-SHA, RC4-SHA, RC4-MD5) but not enabled. Do not enable the less secure ciphers.

Use CPL such as the following to harden the list of cipher suites:

<ssl>
 client.connection.negotiated_cipher.strength=(low,medium) force_deny
<ssl>
 server.connection.negotiated_cipher.strength=(low,medium) force_deny

See the reference resource doc. with the URL below, for more.

Ref.: https://broadcom-stage.adobecqms.net/content/dam/broadcom/techdocs/symantec-security-software/web-and-network-security/proxysg/7-2/generated-pdfs/SG_SBP.pdf 

For the Device Profiles where you still see the box for TLS 1.1 checked, access the device profile, and uncheck the box. Please note that with the above best practice implementation, SSLv3, TLSv1.0, and TLS 1.1 will not be used.

Concerning port 8084, please note that this is a standard listening port for Client Manager (see the Tech. Article with the URL below, as reference), and TLS isn't implemented on a per listening port, on the Edge SWG (ProxySG) appliance, neither is TLS enabled/disabled on the Unified Agent (see the resource doc. with the URL below, as reference)

Required ports, protocols, and services for the Edge SWG (ProxySG) appliance

Unified Agent 4.10 Deployment & Admin Guide

Add. Ref.: Disable TLSv1 or SSLv3 on Edge SWG (ProxySG) appliance