Assuming you are not doing EAP termination on the controller, there is nothing to change at all. The SSID remains WPA2-AES. What differs is how the Radius server accepts authentications. So, in order to accomplish using EAP-TLS, you'll need to authenticate users/computers with certificates.
From a Radius perspective this is simply a change in the authentication that is allowed in the particular policy that matches the client request. From a client perspective, the client will need a certificate and alter their settings to use EAP-TLS. Those two pieces of the equation are rather simple to modify. The last part is the part that requires additional planning.....that is the PKI itself. If you are going to authenticate devices with certificates, you'll have to issue certificates to your users/devices. If you chooose to implement a Microsoft based PKI, the deployment to domain joined machines is very simple; it is the non-domain systems that sometimes require some additional planning.
That being said, my recommendation to you is to research what it would take to setup a PKI in your infrastructure. As many will atest to, it is not terribly hard to setup a Microsoft PKI on Server 2008; however, I would caution you to step back and really think about how you want to design it. I've run into too many customers that threw together a PKI only to realize at a later date that is not suitable for their longer term needs, usually things like being installed on a domain controller, naming conventions used within the CA and templates, improper CA hierarchy, etc. The end up redesigning and reissuing certificates, so its worth the up front planning.
Microsoft has a document on how to set this up in a test lab, from start to finish. It is outdated with regards to the Server OS (uses 2003 and IAS rather than 2008 and NPS), but the concepts are the same. It may get you on the right path.
http://www.microsoft.com/en-us/download/confirmation.aspx?id=18161