The simple answer is, if we have a policy store which the installer supports, then the installer would handle the binary and policy store upgrade. If we have a policy store which the installer does not support, then installer would handle the binary upgrade and we would have to manually upgrade the policy store (using the commands listed above).
If we are manually upgrading the policy store, should we import default objects. I recommend "YES"; as if there are new objects they'd only be added by this step. Be careful, you need to import either smpolicy.xml OR smpolicy-secure.xml (not both).
https://docops.ca.com/ca-single-sign-on/12-7/en/upgrading/in-place-upgrade/upgrade-policy-store
We may not need to do all the steps listed here, since we are at 12.6.1, the only applicable ones seem to be...
Step-2 : Import the Policy Store Data Definitions.
Step-3 : Import the Default Policy Store Objects
Step-4 : Import the Federation Policy Store Objects
There may be also a few steps to import additional default objects. These are not defined in the doc, but it is good to compare and ascertain.
ampolicy.xml
fedpolicy-12.5.xml
I'll create a checklist of OS versions / bitness, policy store versions, JDK versions etc - just to make sure we have cross verified all support matrix version compatibilities, before we even talk about steps / process. I am sure we'd done, the checks, but listing'em nevertheless.