The line b/w controllers and iap's is getting razor thin. What many of my clients seem to struggle with is the precedent of using controllers as either a CAP or RAP termination poiint and having that centralized model of control for auth, cp etc. There is still merit in using controllers in campus environments where the AP's will only ever be connected on an L2 or a branch office where you need an all in one type platform to terminate the AP's, provide PoE to the AP's, firewall, 3/4G backup etc.
That said you can also now leverage the best of IAP with the best of the controller for a small incremental cost. If you setup your IAP's in your cluster and enable VPN to head-end anchor controller sized appropitatly to handle the inbound L3/IPSec connections - you need not license the controler for AP's, PEFNG or even RFProtect.
You leverage the inherent capability (and zero licensing cost!) of the IAP to provide these services, but anchor your VC to a controller that in this case is acting like a VPN concentrator. Beauty of this is the controller can be bare-bones from a licensing perspective as VPN services is included in the base ArubaOS.
While RAP's are great, its always been a pain if you loose the head end tether to the controller or need to add more coverage/capacity to a single location. With IAP, this all goes away...site survivability, ability to add IAP's to the custer, L3 roaming, HS2.0 etc but still provides that central architecture via the anchor controller(s).
See: http://www.arubanetworks.com/solutions/serviceprovider/