I figured it out.
Under: Work Centers > Device Administration > Device Admin Policy Sets > Rule-2
I changed the "allowed Protocols/server sequence-
TO: "Default Device Admin"
FROM:"Migrated_Default Device Admin"
This allowed me to delete the migrated Allowed Protocols Services group.
I now only allow PAP/ASCII via the default device admin & FIPS is applied. I tested this on ISE2 (secondary) prior to changing ISE1 (primary) [for clarity, they are both in primary mode - the devices see ISE1 first].
Hope this helps someone in the future.