What is not fully clear, is if you connected the APs directly to the firewall. If so, make sure that there is full open traffic on the native VLAN between the different ports.
From the description, it looks like the ports are blocking traffic between the Instant APs.
Connecting a serial console to the APs, and see what is outputted there, may provide some additional information on which direction to check.
Another stupid question would be to see if there are enough IP addresses available in the native VLAN. If the AP can't get an IP, it should be visible on the serial console as well.