Hi Rikash,
The protected status comes from the agentname associated with the host, and the URL. From what you write it looks like you have defaultAgentName so that both hosts share the same "agentname".
But you can map different hosts to different agentname in your ACO :
Basic Agent Setup and Policy Server Connections - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation
AgentName=app1agent,app1.example.com
AgentName=app2agent,app2.example.com
Then you can have policy for app2agent to be unprotected, and app1agent to be protected.
That would be the best way.
Cheers - Mark
----
Mark O'Donohue
Snr Principal Support Engineer - Global Customer Success