so no cpsec ? I am going to presume not for now.
These two sentences seem contradictory:
Can ping an AP on same subnet as my PC, but not others...
and
The APs are connected to the network using the same vlan as wired clients, so I should be able to ping one the same as any other connected pc etc.
If I understood your first post, the issue is cross-subnet only and were you to move the 'pinger' to same subnet of an affected AP then the issue is resolved.
At any rate, for starters, see if the AP sees your inbound ping, e.g. setup a constant ping from your PC, and then run
show datapath session ap-name yourApName
have a look and see if you see the inbound icmp, will look like this (pardon the wrapping)
192.168.1.246 192.168.1.24 1 1 2048 0 0 0 0 dev2 13 -- -- FYCI
192.168.1.24 192.168.1.246 1 1 0 0 0 0 0 dev2 9 -- -- FYI
in this case .24 is the AP, .246 is the pinger. Ensure the flags are as you see here, and that you have a matched pair like this (src port is the icmp seq number, here is 1)
might be worth while just double checking the routing table in the AP too, use "show datapath route ap-name yourAPName" and also "show datapath route-cache ap-name yourApName" and make sure it all makes sense (e.g. the mac adddresses in the route-cache make sense for the default gateway of the AP etc.)