Well, assuming you have things working on your end and you want/have to use LDAP, back to your original questions:
1: Can the certificate come from our private CA, or does it need to be issued by a CA that is trusted by the wireless controller.
Yes, the certificate can be from any CA, however it will need to be trusted by the controller.
2: What should the common name of the certificate be?
Doesn't really matter in this use case; usually it is the hostname, but can be something else.
3: Should the certificate be installed on the domain controller (I believe yes), or should it be installed on the wireless controller (which is what my windows domain admin thinks)?
Yes, if you want to secure LDAP on the domain controller, then the certificate is installed on the domain controller. The controller just needs to trust it; so you are going to import the trusted CA or the certificate itself (if self-signed) into the controller.
Also, because you are using LDAP, you'll need dot1x termination on the controller and use EAP-GTC; which I assume you have already setup since you say you have it working already.