got it. you just need to create the tunnel on the controller and point to the IAP that is hosting the VC. It won't work if it points to the VC address, or at least it didn't when I tried.
On the controller,
interface tunnel 1
description "IAP tunnel"
tunnel source <controller ip>
tunnel destination <IAP ip>
tunnel vlan <x>
trusted