I may be way off base here, but this is my understanding after looking into it in my own environment...
If a station associates to an 802.1x SSID but does not complete the EAPOL process within a timeout period (~60 seconds?), the controller deauths the station & logs it in the client's trail-info as an APAE disconnect.
In my environment, I see this sometimes when a client is too far from an AP (walking across campus w/their phone in their pocket), or if a client's driver is quite old.
If I'm completely wrong on this, Aruba folks, correct me and blank my post! :)