Ok, after many trial and error and going thorough the docs managed to fix it.
As per the SonarQube docs Sonar runs in two different java processes, one for the Web Server and other for Compute Engine which is responsible for all background tasks.
Env variable SONARQUBE_WEB_JVM_OPTS is only used by WebServer and that’s why it worked earlier to load repo from Bitbucket etc.
But since ComputeEngine is the one doing PR decoration (in the background) and it does not have ca cert it was failing with SSL unknown cert issue. To fix we can add Compute Engine env variable SONAR_CE_JAVAADDITIONALOPTS with same jks details.
SONAR_CE_JAVAADDITIONALOPTS: -Djavax.net.ssl.trustStore=/tmp/sonarqube.jks -Djavax.net.ssl.trustStorePassword=pass
That’s it 
and after docker container restart it works for PR decoration as well.
I wish Sonar team adds docs specially on how to handle selfsigned or internally generated CA certificates. Since its kind of very common in many organizations.
Thanks.