Thanks for the help, it seems I didn't check L2 authentication failthrough and I didn't realize the user roles we were giving out did not have any firewall rules applied and were getting deny all. Users were then hitting clearpass and on successful auth getting IP.
Another question though, we moved the AP into another subnet, only 2 hops to the controller (gateway, core, controller) and we have a device in the same subnet that can ping the aruba controller. However, the AP-225 keeps going from up to down to up to down, but not rebooting. Does anyone know why this is might be happening now? CPSec is enabled, but auto cert provision and all is checked.