So, if you NAT on the controller, that's fine. The traffic is sourced upstream with the controller-ip address.
Outside of that NAT discussion, your clients can run in one of two modes really with the controller.
1. L2 where the controller is a bump in the line. The clients' default gateway is NOT the controller. It is the upstream router on the VLAN(s) on the controller. So, on one SSID, you can add one or more VLANs on the network. The client traffic (while inspected and enforced) is a "passthrough" if you will from a data plane standpoint.
2. L3 where the controller IS the default gateway of the clients. For guest, this is more applicable in some cases because of NAT.
Please look over our VRDs here for more info - http://www.arubanetworks.com/resources/reference-design-guides/