Here is a list of the changes that TAC made to my configuration in order to get mobile devices roaming properly. These settings also solve the slow performance issue on iOS devices when using encryption on your SSID. This will not prevent a hiccup if you are roaming from one controller to another, as that requires a re-auth, unless you do some fancy IP mobility.
Even though the AAA profile below says dot1x, it was done on both a WPA2-AES and a WPA2-PSK SSID. I am only showing the lines added! The "....." indicates that there are other lines already in this config area but not changed.
aaa authentication dot1x "Your-dot1x-profile"
.....
validate-pmkid
!
rf optimization-profile "Your-rf-opt-profile"
handoff-assist
!
TAC also disabled Client Aware, but I believe this was just for testing purposes.