We are adding FIPS support in PAM 3.6, which among other things, will improve the Signing Algorithm to SHA256. The FIPS mode will be off by default and you can enable it if you require. When you upgrade your Framework Manager to 3.6, you have to wait for your agents to go for re-registration (that happens in every 2 days by default). While re-registering, agents will learn about the FIPS mode and auto-renew their certificates and will be signed using SHA256 for PAM communication via port 29120.
For fresh installation (PAM 3.6), after you install your primary PAM Manager, you have to enable your FIPS mode before you go for your agent deployment and licensing. In such case, your hosts will renew their certificates for PAM communication via port 29120 and they will automatically be signed using SHA256.