On the controller where you select termination in the 802.1X AAA profile did you select both PEAP for outer method and msChap for inner? Both have to be checked.
The problem with your earlier certificate issue- you ALWAYS validate server cert. but the windows cert you downloaded was not from a true CA. So Microsoft put it into your intermediate certificate- it is a windows 7 (vista too) security feature. If you re- download the certificate, and manually specify where to place it - put it in the trusted root Certificate Authority folder. Then when you setup the profile for wireless you go Into peap settings and make sure validate server certificate is checked- and then in the list select the checkbox next to the certificate you installed. This is mandatory as it protects you from connecting to a man in the middle attack.
Also- when you do this, and the. Enable termination the client won't connect - that is because the client is using the Windows cert. but the controller is using secure logon.arubanetworks.com. (Default one from the Aruba OS. ). You will then be promoted by windows that it can't verify the integrity of server certificate. Do you want to connect?
This is that protection. That server cert doesn't match what you are expecting. You have to override it. The way to fix this in real life would be to load the server cert to the Aruba controller where client would be receiving the proper certificate. And this this time if would just authenticate (no errors).