Tim's answer applies to controller RAPs. If your question relates to Instant AP's (IAP-VPN, or RAPNG which is the same), you can check the guide at http://community.arubanetworks.com/t5/Aruba-Instant-Cloud-Wi-Fi/Tutorial-RAPNG-IAP-VPN-deployment-with-AirWave-central/td-p/148648
Where in part 2, creating a DHCP scope in L2 mode (VLAN) and putting your clients in that VLAN, will tunnel all trafiic to the controller; putting clients in a VLAN that lives on the trunk to your AP results in local bridging.
Please note that PPTP is not a valid VPN option for IAP-VPN; you can choose between Aruba IPSec, Aruba GRE (both to a mobility controller), L2TPv3 and manual GRE (which may work with other brands equipment).
Using a mobility controller as central termination point, has the additional benefit that all Aruba AP's have a built-in client certificate for authentication to the controller (protected in a trusted-platform, or TPM, chip). So authorizing the APs to the controller is extremely simple but still secure.
Does this help??