presuming your VAP is in tunnel mode, to do a capture from the controller datapath of a single users traffic, look into the following CLI commands:
packet-capture destination ip-address <ip of pc with wireshark running>
packet-capture datapath wifi-client <mac> all (or decrypted)
"all" includes the wifi traffic that is probably going to be encrypted - whether you need that depends on whether your problem is more at the mac layer or not. If you just want the IP traffic of a single client, then use "decryped" instead of "all".
The wireshark pc can be anything that is reachable from the controller, make sure it has it's firewall disabled etc. Perhaps validate on a known working user before capturing on a suspect user. The traffic is encapsulated in GRE and will traverse most networks without any drama.
Don't forget to disable it with "no packet-capture datapath wifi-client" when you are finished.
hope that helps.
-dugem