Despite what the instructions I posted said, all you need to do is:
1. Configure the Radius Server entry on the Aruba Controller
2. Run the LAN WLAN Wizard and create a WPA2-AES SSID that points to that Radius server
3. On the Radius server, of course create a client entry for the Aruba Controller
4. On the Radius server, create a remote access policy that has "Smartcard", instead of PEAP allowing users/devices
5. Browse to the certificate server with the client using the http://x.x.x.x/CertSrv and request a client cert. Install it on that client
6. Create a WLAN entry on the client that is WPA2-AES with "SmartCard or Certificate" and allow simple cert selection
7. Connect it to the Broadcasted SSID and you should be done.
All the termination stuff and signing is not necessary. It is for EAP-TLS termination which is an advanced topic.
AAA test server will not work unless in a remote access policy you are allowing peap, EAP-PEAP which is username and password authentication. There is no such test for certificate-based authentication.
In a true domain, Step 5 can be eliminated by configuring an autoenrollment group policy so that all clients automatically get certs when they contact the domain.
I hope this even helps.