Finally my MRA configuration works well.. 

Please find below steps which i had taken to complete the configuration. 

1. Jabber Client must verify the identity of the Expressway-E they are connecting to by validating its server certificate. To do this, the client must have the certificate authority that was used to sing the Expressway-E’s server certificate in their list of trusted CA’s
2. DNS records, 
   1. The public DNS must be configured with  _collab-edge._tls<domain> SRV records. (_collab-edge._tls.sample.com )

      1. Domain	Service	Protocol	Priority	Weight	Port	Target host
         sample.com	collab-edge	Tls	10	10	8443	tp-vcse.sample.com
         sample.com	sips	Tcp	10	10	5061	tp-vcse.sample.com

• Local DNS requires _cisco-uds._tcp.<domain>  and _cuplogin._tcp.<domain> SRV records.
• _cisco-uds._tcp.sample.com
• _cuplogin._tcp.sample.com 

• Domain	Service	Protocol	Priority	Weight	Port	Target host
  sample.com	cisco-uds	tcp	10	10	8443	10.200.1XX.XX
  sample.com	cuplogin	tcp	10	10	8443	10.200.1XX.XX

•  

 Validation from System Team 

3. The Phone Security Profiles in UCM that are configured for TLS and are used for devices requiring remote access must have a name in the form of an FQDN that includes the enterprise domain. (this is because those names must be present in the list of Subject Alternate Names in the Expressway –C’s server certificate.

• Configured security profile jabber.sample.com  by modifying  Cisco Unified Client Services Framework - Standard SIP Non-Secure Profile 

2. Ensured that AXL services are activated in Publisher and IM&P
3. Ensured that NTP are configured and synchronized properly

Expressway:

1. System                 host name and Domain name are specified for every Expressway and all Expressways are synchronized with NTP

Expressway –C

Express E

Set Unified Communication mode to Mobile Remote Access in both VCS –C and VCS E

           In expressway- E, TURN services are set OFF.

Configure Unified CM and IM&P on the Expressway- C;

• Configured but mention TLS as off
• Configured the domains on Expressway-C for which services are to be routed to UCM

Installation of suitable security certificate on the Expressway-C and the Expressway-E

Since I am not using TLS verified mode is set to OFF ,  so not uploading the CUCM and IM&P tomcat certificates.

Configuring traversal Zone in Expressway

Configured traversal  zone for Cisco unified communication type in VCS-E and VCS-C as below;

Issue Faced during configuration:

1. The traversal zone was not coming active.
   1. Open the port 7001 – 7005 from firewall between VCS-C and VCS-E
   2. Open port 7400 from VCS-E
   3. We must use 5060  and 7001 for MRA, so re-configured the CUCM neighbor zone with 5063

i.In cisco call manager change the listening port from the SIP security profile used for VCS trunk from cisco call manager.

ii.SystemSecuritySIP Trunk Security Profile 

Change the corresponding value in VCS-C

Any changes in the configuration of network related information may  either required a system restart or re-configure the related configuration such as traversal zone …(I had face this issue and solved by this method only.)

Phone Configuration in CUCM:

Android / Iphone:

from the end user page subscribe the user service profile

Home Cluster : should be checked

Enable User for Unified CM IM and Presence : should be enabled.

Device should be associated with user.

Configure phone as below:

1. Device type : Cisco Dual Mode for Android /Cisco Dual Mode for iPhone
2. Device Name :  Should be start with BOT for android and TCT for IPhones
3. Owner :  Assign respective user account
4. SIP Profile : Standard SIP Profile for Mobile Device
5. Device Security Profile : Cisco Dual Mode for Android.
6. Save the Configuration.
7. Configure Line for the user.

Login from Jabber:

1. From advance Option on Jabber login Page select IM
2. Fill user name and password
3. Enter the VCS-E FQDN (tp-vcse.sample.com)

No you Ready to make first VoIP call from internet using jabber. 

Hi, 

I guess that you are facing system unreachable iin traversal zone, 

1. check about the ports are opened between VCS-E and VCS-C ; Please refer page# 22 in  http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-1/Mobile-Remote-Access-via-VCS-Deployment-Guide-X8-1-1.pdf

2. check the credential configured in VCS-E and VCS-C traversal zone.

if everything is correct, Please recreate the same ; it will work. I had faced same issue initially the problem with port and even after everything was correctly configured i was facing the issue. then Cisco TAC advised me to re-create it again and it works well. 

Let me know if you still face the issue; you can also check the dumplogs Maintenance -->Diagnostics-->Diagnostic Logging and share the logs. 

Regards

Shalid.

Logs showed an authentication error.  Turns out that you CANNOT use the self signed certs for communication between the E and C boxes.

Customer is working on getting "real" certs.

Not really required. You can get it signed from internal system team from their CA. This is what I have done. Generated request from each vcs server and get it signed from internal A AND uploaded to respective vcs servers. 

Also did you recreated the zone?

Please keep update .

Yes, the zone was recreated.  But the certs on the boxes were the self signed ones from installation.  There is no avoiding having a CA (even a private one) involved.