You might have seen that in the Aruba Networks Government Solutions Guide, more specific Requirement 3:
"In an Aruba (added: controller) network, sensitive information such as user encryption keys remains inside the data center in the Controller. In our opinion, AP-based crypto does not provide end-to-end encryption, as mandated by DoD Directive 8100.2 – because encryption ends at the AP, not the core of the network. This mandate has forced some organizations to deploy “overlay cryptography” solutions to ensure FIPS, UC-APL and/or DoD Directives compliance, which in turn increase complexity, and causes significant design challenges and awkward end-device behavior."
What I personally like in the centralized encryption is that because there is no user traffic crypto processing and thus the keys needed for that in the AP, you can consider the AP and all network between the AP and the controller out-of-scope for your security evaluation of the wireless. That means that you can place APs even in untrusted environments while keeping the wireless traffic itself secured. With encryption in the AP you probably can get to an acceptable security level on most deployments if you take the AP itself, and the port it is connected to, in-scope and evaluate the overall security. Instant APs can even run in FIPS mode to get validated crypto operations.
There is some good reading in the article mentioned above.