XenMobile enterprise migration is completed successfully from 9 to 10.1.
Enrollment begins OK, MAM side errors out.
Customer initiates enrollment and when Secure Hub again is connecting to MAM and user is expecting to enter PIN prompt they see the following error: Please check your credentials you may have mistyped them.

2015-10-06T10:47:51.950-0400 <MAM> INFO (4) Catalog URL=https://AccessGateway.domain.com/cvpn/https/xenmobile.domain.com:8443/Citrix/StoreWeb/Tiffany/branding/list/iPhone 
2015-10-06T10:47:52.009-0400 <Me@WorkCommon> INFO (4) received response url:https://AccessGateway.domain.com/cvpn/https/xenmobile.domain.com:8443/Citrix/StoreWeb/Tiffany/branding/list/iPhone  - status code:200 
2015-10-06T10:47:52.010-0400 <Me@WorkCommon> INFO (4) URL=https://AccessGateway.domain.com/cvpn/https/xenmobile.domain.com:8443/Citrix/StoreWeb/Tiffany/branding/list/iPhone " Status code="200"" 
2015-10-06T10:47:52.012-0400 <MAM> INFO (4) catalog: {results":[]}" 
2015-10-06T10:47:52.015-0400 <MAM> ERROR (2) An error occurred while retrieving account record for URL: https://accessgateway.domain.com, error: Error Domain=com.citrix.me@work.authentication Code=3 (null)"" 
2015-10-06T10:47:52.016-0400 <MAM> INFO (4) FTU state:1, error:Error Domain=com.citrix.me@work.authentication Code=3 (null)"" 
2015-10-06T10:47:52.018-0400 <MAM> ERROR (2) Logout initiated for FTU failure. Status=1 - Error:Error Domain=com.citrix.me@work.authentication Code=3 (null)"" 
2015-10-06T10:47:52.020-0400 <MAM> ERROR (2) Logout invoked. 
2015-10-06T10:47:52.020-0400 <MAM> INFO (4) Performing logout 
2015-10-06T10:47:52.079-0400 <Me@WorkCommon> INFO (4) redirect code:302 -- location :/vpn/logout.html 
2015-10-06T10:47:52.079-0400 <Me@WorkCommon> WARNING (3) Will NOT redirect 
2015-10-06T10:47:52.082-0400 <Me@WorkCommon> INFO (4) received response url:https://accessgateway.domain.com/cgi/logout - status code:302 
2015-10-06T10:47:52.083-0400 <Me@WorkCommon> INFO (4) URL=https://accessgateway.domain.com/cgi/logout" Status code="302"" 
2015-10-06T10:47:52.086-0400 <AUTH> INFO (4) Response code 302 for url https://access.gateway.com/cgi/logout 
2015-10-06T10:47:52.088-0400 <AUTH> WARNING (3) Logging out for AG Address https://accessgateway.domain.com
2015-10-06T10:47:52.090-0400 <MAM> INFO (4) logout invoked

This problem is caused by Domain field misconfiguration that can be found on XenMobile LDAP settings (domain alias field) and the Domain field configured on NetScaler Gateway VIP.

In this particular scenario customer has XenMobile 10.1 (settings came from migration) and the Domain Alias field was set to "domain.com".
The NetScaler / NetScaler Gateway VIP was configured to use under the domain field (Published Applications tab) "DOMAIN".
To remedy this and since "DOMAIN" value was set from NetScaler Gateway Global settings, the Domain Alias field on XenMobile 10 LDAP settings needed to be modified to match what is found on NetScaler. 
Meaning LDAP settings > Domain Alias field was modified from "domain.com" to use "domain" instead.
MAM side of enrollment completed successfully after this change.

Problem Cause

Misconfiguration found between XenMobile LDAP settings and NetScaler Gateway Settings (domain field under Published Applications tab).