Answer by support as below:
A login is used for user authentication and a database user account is used for database access and permissions validation. Logins are associated to users by the security identifier (SID). A login is required for access to the SQL Server server. This login must be associated to a SQL Server database user. You use the user account to control activities performed in the database. If no user account exists in a database for a specific login, the user that is using that login cannot access the database even though the user may be able to connect to the SQL Server server.
The original Endpoint Protection Manager had been configured using only the SQL server name,rather than the server_name\instance_name combination.
A non-sa SQL user is attempted to be used to authenticate instead of a user account that has the 'sysadmin' level rights to SQL
So basically we reconfigured the SEPM 11 to use SQL IP instead of SQL hostname.
In upgrade option we also put SQL IP instead of hostname ...and then only the upgrade wizard able to recognize the 'sa' credentials and finish the upgrade.
Thanks again for input and help.