Do you have any firewalls in between that is blocking the ports needed for the RAPs to build up the tunnel ?
RAPs connect to the controller on UDP port 4500 to create the IPSEC tunnel
Do you have any ACLs in the controller just allowing the other public IP address ?