There are two parts....
[A] the conf files on the WAMUI Server.
[B] The trusted host object for that WAMUI within the Policy Store (of the additional policy server which is registered as a Policy Server connection).
I think I don't have to talk about [B] because we know how that works and it is explained above.
Regarding [A] if we see under the <Install_location>CA\siteminder\adminui\server\default\data\siteminder\ there is a single conf file which lists the first Policy Server against which this WAMUI was first registered (deleting the data folder is equivalent to registering the first time).
Now to find where are all the other additional policy server connection listed in WAM UI.
For that run a simple command.
Go to <Install_location>CA\siteminder\adminui\server\default\ directory.
Run "grep -nr -i "AdditionalPolicyServerHostName".
You'll see that within <Install_location>CA\siteminder\adminui\server\default\data\derby\siteminder\ there is "objectstore" and "taskpersistence" folder which have gibberish *.dat files which has the additional Policy Server connection details, trusted hostname & shared secret within it. I believe the WAMUI uses these *.dat files to read the additional policy server connection details & shared secret; then uses it to make a successful handshake with the Additional Policy Server. When The Additional Policy Server receives the handshake request, it looks into its Policy Store to see if a trusted host exists. If a trusted host exists verifies the Shared Secret. This is same process for the WebAgent.