Let me expand on my comments.
If you are using 802.1x, you can have the radius server return a VLAN attribute to a user based on AD group. That way, you can have a single SSID and users will be automatically put into the VLAN they belong to upon authentication.
You should put the IAP or autonomous AP on a trunk and the AP will send the user traffic out tagged, depending on VLAN.
Adding more SSIDs, increases overhead and decreases performance, so having a single VLAN is more efficient and requires less client configuration.