User traffic is tunneled between the access point and the controller using GRE, NOT encrypted. If you are using encryption on that SSID, the traffic is tunneled and encrypted using whatever encryption you are using on that SSID. If you are using an Open SSID, there is is no encryption and the traffic is just tunneled.
WPA2-AES - Traffic is tunneled and encrypted with WPA2-AES
WPA2-PSK-AES- Traffic is tunneled and encrypted with WPA2-PSK-AES.
Open - Traffic is tunneled and not encrypted.
If you want your traffic to be encrypted on the LAN, you should not be using an Open SSID.
I hope that makes sense.