I would personally vote to never turn off CPSec, unless you really understand the risks that you open up and you only use a secured network between the APs and controllers.
For some long-term Aruba engineers, it has become standard procedure to turn off CPSec as one of the first things they do when they touch a controller. This probably originates from the early days of CPSec when it had issues, or they learned from someone who had early experience with CPSec.
As with many security features, there will be a day that you need to turn them on again and that is a disruptive and risky step in a live network. I personally have not found a deployment where CPSec had to be switched off. You'd better try a bit harder to make it work with security enabled, which is really not hard in the case of CPSec.
If you don't have time to fully understand CPSec, turn on the feature auto cert provisioning instead of disabling the whole feature:
Or from the CLI:
control-plane-security
auto-cert-allow-all
auto-cert-prov
!
With that feature on, the behavior is very similar: all APs will connect to the controller, but the connection will be secured and authenticated with the AP's TPM certificate. It is true that the AP will go through another reboot so a little more patience may be needed before your first AP shows up.
When all AP's are deployed, it may make sense to disable the Auto Cert provisioning again, and manually whitelist APs when added to the network. By that time, read into the feature ;-)