Hi
In normal operation, a GRE tunnel is setup between the AP and the controller. This means that all system traffic between AP and controller is NOT encrypted. The user traffic is normally encrypted with the SSID encryption (WPA2-AES).
If you need to tighten the security for any reason, you turn on control plane security or when you need to use a SSID in bridged mode.
For AP'es that reside on a LAN, with SSID in tunnel mode, you don't need it if you don't have special needs.
What CPS does, is that it pushes a certificate to the AP, and instructs it to build an IPSec, opposed to a GRE, making it more secure.
Roar Fossen