(I posted this earlier today, went to edit it, and somehow it got deleted, so here it is again)
I just wrote about this subject so let me add to what has already been mentioned. The entire process is as follows. CJ can correct any details that I'm wrong on. :-)
When the cluster is created, the cluster leader builds a bucket map for each ESSID that is part of the cluster. The cluster leader takes the total number of cluster members and assigns a number to each one, starting with 00, 01, 02... for however many cluster MCs there are. The cluster leader then creates a bucket map for one of the ESSIDS and distributes the numbers across the bucket map. Think of the bucket map as simply two lookup tables for each ESSID with 256 positions in each lookup table. The first tables is the active or UAC pointers and the 2nd table is the standby or S-UAC pointers. (this is done for each ESSID, but lets just think about one for now)
When the maps are created for each ESSID, they are sent to the APs. This map will be the same, as long as you do not add an MC or remove an MC from the cluster. So the APs hold the maps. When a user tries to connect to an ESSID, the AP performs a hash on the extended unique identifier (last 6 hex digits in the MAC address) of the user MAC address, and generates an ASCII number between 0-255. (the hash is a simple formula, I think it is public knowledge, but just in case it isn't, I will not divulge it - CJ if you know if it is, let me know and I'll come back here and explain it).
Once the AP has generated the hash for the client, it simply uses the ASCII hash value and looks up that position in both the active and standby tables in the bucket map, finds the controller number 00,01,.. and cross references it to the IP address of the MC and establishes the UAC and S-UAC tunnels for the user.
Hope that puts the pieces together,