For the RAP, you provision it on the RAP end...not the controller. On the controller, you need the RAP to be whitelisted and the approprate AP group defined. Like was mentioned, in the AP Group, make sure that the AP system profile that's defined does NOT have an LMS IP address. Also note that if you are using the "default" AP system profile WITH an IP address, please create another one for your RAPs. If you don't and you remove this IP, then you may end up with provisioning issues in the future internally.
Now...on the RAP end...when you convert, you use the firewall EXTERNAL IP address in the conversion process on the RAP. You do NOT use the controller's internal IP.
Hope this helps!