The decision to perform Encrypted or Authenticated calls is determined by the security profile assigned to each party of a call. The lowest common denominator, including unsecured, wins unless you set mandatory minimums. There is a long and involved prerequisite to doing this where you must enable mixed mode on the UCM cluster using the CTL Client, CAPF, the security tokens, and device LSC enrollment. All of this is documented in the Security Guide that you referenced. The steps involved are far too many to repeat here.
These are the paths to get to each CCX logs through CLI. They may be helpful if you are having issues accessing RTMT or downloading logs through it.
If you want to download them you have to prefix "file get " and you can add one of the options (re...