CPSEC is short for control plane security. It sets up an ipsec tunnel between the AP and the controller. This tunnel is done via secure certificate. When you turn this on, all of your AP's will have to negotiate this key exchange and then set up an IPSEC tunnel to the controller.
This tunnel encrypts all traffic, including the command and control traffic, to the AP. This allows the controller to pass the decrypt keys to the AP so the AP can do local decrypt and ACL functions. It opens a few more mode operations (bridge, tunnel decrypt)
We tested this extensively when it was first rolled out in 5.x. Local bridging is particularly interesting in that you can pass the building VLAN to the client, but maintain your firewall and role status. When you roam your session information is copied to the AP you moved to. You DO need to make sure you have adjusted port security on your switching platform or it may trigger a shutdown on your port..
It does add processing overhead to the AP and the controllers. This is a system setting not an AP group, so one check box turns on a lot of things...