If You use AP as Campus it should be within the organization internal network Managed by MC. If Config as RAP, it should be outside from the network but managed by MC.
But Campus AP/RAP your data/management traffic securely communicate via a GRE tunnel. No need to create another VPN to the corporate network.