Currently you can have SD-WAN Overlay only between firewalls managed by the same Management server (on the roadmap in between different Domains in MDM server).
the authentication will be based on certificate as today. we don't change that.
if there is already VPN tunnel between those gateways, once you enable SD-WAN on those peers (both sides), the tunnels will be changed from link selection to tunnel per interface by SD-WAN.
if everything is configured properly in advance, the switch should be quick.