Initially When legacy AP comes up, it tries the typical clear text PAPI as it has no cert on it for sure. Then it will try to send CSR to the controller and that would be pending for the cert provisioning and approval.
Once the approval is done, the controller should send the signed cert back via this same clear text PAPI. Here it is just sending the "signature" instead of a full cert back.
The payload has the controller's serial number and mac address as part of the signed certificate.
Non-legacy AP doesn’t require a cert as it is already got factory_cert.