There is not currently a self-signed cert within the controllers - the cert that ships by default comes from a CA. And yes, it uses SHA-1. If you're actually using that cert in a production network, SHA-1 is the least of your worries. You should not use the default certificate - ever.
In future versions of ArubaOS, the controller will generate a self-signed cert. This cert will be signed using SHA-2. On the other hand - the signature is meaningless (it is self-signed) so I don't think it particularly matters what we use. You'll either need to a) replace that cert with something from a CA (the preferred approach) or save and pin the public key.