Patches are cumulative and normally you should be able to upgrade from 2.1 patch 5 to 2.3. However there is a bug in the 2.3 upgrade process in that it fails to properly ascertain the readiness when one or more of the target nodes was patched non-sequentially.
You should open a TAC case and they will be able to help you with a work around.
I believe after upgrading the secondary ISE node a patch is installed. The primary node checks the version of the secondary at the step 3 ("Validating data before upgrade.."). The reason for this is, after the upgrade process finishes, the primary is automatically added to the new upgraded ISE deployment. However, if a patch is applied to the secondary, after the upgrade process primary cannot be added to the new deployment automatically because it would not have the patch installed.
In short, the mentioned message indicates the patch installed on the upgraded ISE node.
"STEP 3: Validating data before upgrade... % Warning: Cannot upgrade this node as new PAP has patch(es) installed on it, please remove the patch(es) and try again."
I can think of two workarounds to this issue:
Uninstall the patch on the upgraded secondary node (2.3 or 2.4) and try to upgrade the primary again
Make the primary node standalone and then upgrade it and manually add it to the upgraded ISE deployment.
I know it has been some time for this discussion and the issue must have been resolved. The second method worked for me. I just want to have a record of the solution when it is searched.