In your Mobility Master (MM) there will be a line(s) in the configuration for each of the Mobility Controllers (MCs):
!
localip <controller-ip> ipsec ******
To find it easier and to de-encrypt the ipsec PSK try this:
cd /mm
encrypt disable
show configuration effective | include localip
Try setting this PSK to what you configured during the full-setup phase of the controller.
For the MM redundancy (MM to MM) the ipsec key is configured under 'master-redundancy'. Look for the following:
peer-ip-address <MM-peer> ipsec <ipsec-key>
This needs to be the same at both MMs.
Remember to 'encrypt enable' when you're done.