1. You should not have to reboot the controller for anything besides a change in firmware.
If you make a change, you should be able to disconnect clients on the commandline of that MD (controller) using "aaa user delete":
(aruba7640) #aaa user delete
all Delete all users. Can take upto 5 mins if there are
large number of users getting deleted
ap-ip-addr Match AP IP address
ap-name Match AP name
mac Match MAC address
name Match user name
role Match role name
A.B.C.D Match IP address
If you rebooted the controller and clients are still stuck in the wrong role, you made the wrong change.