It appears like permission expectation between the two services are different. You can have different permissions for different characteristics. Since for CTS, you implement a client, you do not have much control on the permissions imposed by iOS's CTS server. Hence your overall device security configuration should at least match the minimum requirement imposed by the CTS server in iOS, which needs encryption (this translates to to a minimum setting for security - Unauthenticated pairing with encryption). However for immediate alert server/client, there is no minimum requirement - hence most device choose to implement "No authentication or encryption".
Now in order to have different permissions for different characteristics (say for Immediate Alert service's Alert level char), in the BLE component customizer, under the GATT settings where you configure your services, click on the "Alert Level". On the right side pane, you should see a section for "Permissions". Expand it and make sure that both read/write permissions have all the permissions to "No encryption, authentication or authorization". Also make sure you uncheck "Update after GAP security level change", otherwise these permissions will get updated every time you change the security configuration.
I am not at my desk and do not have a board to test the above. But if my understanding is correct, I would expect it to work Again I do not understand why Immediate alert service will have to fail, as unauthenticated pairing with encryption is above the min req. May be by fail do you mean the Android App not able to control it?? If yes, then that might be because the app might implement "No security" and does not satisfy the minimum requirement imposed by the Immediate alert server implemented in PSoC.
Let me know if this helps.
Meenakshi Sundaram R