Assuming you have already staged the 7010 with the configuration and have tested it on a single AP to ensure everything works as you expect. This means that AP groups on the old and new exactly match (otherwise you will have to re-provision all the APs into the new groups on the 7010), that the config is using the same RADIUS server and that the new controller IP(s) are added as RADIUS clients, any SSL or server certs you may have on the 3400 have been created and installed on the new 7010, etc.
When you change the DHCP and/or DNS to point the APs at the new controller, the APs will have to be rebooted. When they reboot, they will get the new controller IP and terminate on your 7010. If you have CPSec enabled, you will either need to enable auto-provision in CPSec to let the APs automatically pull the new controller cert for the whitelist. If you DON'T enable auto-prov is CPSec, you will need to manually approve each AP to pull the controller cert. Then the APs will reboot again (after the new certs for CPSec are pulled).
DOUBLE-CHECK that NONE of your APs have any static variable provisioned. If you leave up the old contorller, you will know right away, since any rebooted APs will come back to the old contorller.
But all this hinges on the first paragraph, that you replicated groups exactly, that the new 7010 config is good, tested, and validated, that all RADIUS settings have been updated accordingly, etc.