Updates:
After a long rest and clear head, I'm able to fixed the ipsec issue. 
After all, it was all my own fault. Lol.
I paid to much attention to the ports 500 and 4500, I forgot about the esp protocol that doesn't required any ports. Duh!
So for those of you that used Cisco and has the SS on the DMZ on the back-end firewall and received the same error, make sure to also add:
1. The access list for the esp protocol from host SS to host internal CS with no ports.
2. Under policy-map, add inspect ipsec-pass-thru
3. Add static (inside, DMZ) internal CS internal CS netmask /32
Hope that helps.
Thanks Mark!!