Version 4.1 - 2.0 SXP
SXP is the SGT Exchange Protocol. SGT is a (16-byte) Security Group Tag. This opens up a whole big can of worms that is not really covered by any of the other listed topics.
If you don't know TrustSec inside and out, start with the Cisco TrustSec page. Then you should really watch the YouTube videos [Cisco TrustSec LiveLessons series] by Natalie Timms. The SIMOS materials also cover this fully.
"SXP uses TCP as the transport protocol, and the TCP port 64999 for connection initiation. SXP uses Message Digest 5 (MD5) for authentication and integrity check. It has two defined roles—speaker (initiator) and listener (receiver)."
I think there could be a number of questions from this section on the exam. So know what SGTs are and how they are assigned (802.1x, MAB, web auth) - tagged at the ingress. The command "cts sxp enable" is used to enable SXP - (you need a license for that).
So what do you do if you have TrustSec configured on the access device (where the source traffic is generated), TrustSec (and SGACLs) on the switch connecting to the destination device, and multiple devices between them that are not TrustSec capable? This is where SXP comes to the rescue. You set up SXP peers between the TrustSec capable devices so that the IP-to-SGT mappings (don't fly off into space) remain to be used by the SGACLs at the destination's switch. It is also used between TrustSec capable devices. Check out this picture (which I pilfered from the web):
One of the reasons I think there would be a lot of questions on the exam for SGTs, SXP, TrustSec and SGACLs is because it's really Cisco-centric (the topics and the exam). And with the adaptive nature of the exam and so much material to cover, miss one and it could really hurt you. This has so much ground to cover that you could get hammered over and over with different questions all on the same "main" topic. On the other hand, if you've gone through this stuff in the SIMOS course materials, you should be fine for anything they may throw at you in this area.