Asa,
I know how this stuff works and you really confused me!
"When CPSEC enabled - each whitelisted or allowed AP get certiface from the controller itself."
This is not true, all 'new' AP's have a TPM module which stores a factory certificate, so it does not need to get a certificate from the controller, old AP's which don't support TPM modules can be downloaded from the controller.
The idea behind CPsec - Control Plane security is to protect the control plane so that we can support bridge mode PSK etc.
i.e. when we send a key to the AP we don't send it in clear text but inside IPSec to the AP.
So the only thing which is inside CPSec (which is IPSec or NAT-T - UDP 4500) is our propitiatory protocol PAPI (UDP port 8211).
I would leave the ports listed open if possible as any new AP coming up will have to use these before it can become a CPSec AP.