well, you cannot as a supported CLI option, but, you could get creative and setup a dst-nat to handle your desired "hidden" ssh port, allow a trusted host or two, and then block all other port 22 traffic.
# create a remapping ACL where
# 1.2.3.4 is a trusted internal host
# which you should have in case you make
# any mistake in this process (else you may
# be locked out, or, have to use webui to fix)
ip access-list session remap-ssh
host 1.2.3.4 any any permit
any alias mswitch tcp 12345 dst-nat 22 log
any any svc-ssh deny log
any any any permit
!
# now apply to the controller uplink, make sure
# you are connected from 1.2.3.4 when you do this !!
(620) (config) #interface gigabitethernet 1/8
(620) (config-if)#ip access-group remap-ssh session
(620) (config-if)#exit
now test it from any host that is not 1.2.3.4:
root@kali-246:~# ssh admin@1.2.3.254
^C
root@kali-246:~#
Mar 7 14:37:16 :124006: <WARN> |authmgr| {0} TCP srcip=1.2.3.246 srcport=50132 dstip=1.2.3.254 dstport=22, action=deny, policy=remap-ssh
Mar 7 14:37:17 :124006: <WARN> |authmgr| {1} TCP srcip=1.2.3.246 srcport=50132 dstip=1.2.3.254 dstport=22, action=deny, policy=remap-sshand now using the specified port, 12345
root@kali-246:~# ssh -p 12345 admin@1.2.3.254
admin@1.2.3.254's password:
Last login: Wed Mar 7 14:32:20 2018 from 1.2.3.4
(620) # profit
(620) # show log security 5 | include remap
Mar 7 14:37:31 :124006: <WARN> |authmgr| {2} TCP srcip=1.2.3.246 srcport=59634 dstip=1.2.3.254 dstport=12345, action=dst-nat 22, policy=remap-ssh
hth.