You control this with the firewall rules attached to a role (access-list session). In the example:
ip access-list session <policy>
any any svc-dhcp permit
any alias <name> any permit
user any any route src-nat
The first line will allow DHCP, this DHCP is from the VLAN where the client is placed and will live centrally on the controller. The second line, but basically everything with action permit, will be sent through the tunnel to the controller. The last line, with action route nat will break out on the RAP locally and that traffic source IP will be NATted to the IP address of your RAP. So IP and default gateway will be on or behind the controller, but due to NAT the client traffic can be routed directly to the internet.
So: permit = tunnel to controller, route nat = break out locally.