There is a problem with your design:
There is no real purpose to a layer 3 cluster, because all clients will be disconnected when access points from one controller fail over to another cluster, which will cause a disruption. That eliminates the real purpose of a cluster, which is seamless client failover when access points connect to a different controller.
Secondly, you should not design a network where a client will obtain a different ip address when it is in a different building, because the client will face manual disruption to its applications, and that will generate helpdesk calls.
Best design:
Put both controllers in the same building, where the cluster will be l2 and clients will be able to preserve VLANs and ip addresses when roaming AND if a controller fails, connectivity will be preserved if access points fail to a second controller, as well.