I will let others chime in about their specific experience with deployments:
Authentication with RSA secure-ID is possible with the controller, or with the additional policy infrastructure of Clearpass Policy manager. Both methods require that your wireless endpoints have a supplicant installed that supports EAP-GTC. EAP-GTC is necessary due to the method that RSA uses for authentication. The built-in Windows supplicant does not support EAP-GTC. Juniper Odyssey is probably the most popular and flexible client-side supplicant. The advantage of using ClearPass instead of the controller allows you to make additional policy decisions based on attributes returned from AD based on the username that the user logs into RSA with.
Important supported aspects of of ClearPass or controller deployment is something called "Token Caching", where the user does not have to key in his/her pincode every time the laptop roams.
For logging into the management interfaces of Airwave, the controller, and ClearPass, RSA Token Authentication is supported without loading a supplicant on your endpoint devices. This is done authenticating directly to RSA using radius.