Hey Leon,
Is there a firewall between the controller and the internet connection used for the RAPs?
If so you'll need to NAT UDP port 4500 from the firewall to the controller.
Also when you're testing the RAP you could try the following commands in addition to the datapath session one you used:
#show crypto isakmp sa
This will show you any IKE security associations. This is IKE Phase 1 or you might have heard this as just Phase 1 of the VPN connection.
#show crypto ipsec sa
This will show you any IPSEC security associations. This is the VPN tunnel that's created by IKE Phase1. Once this is established you're usually good to go.
Also it's worth checking the security log as many IKE errors will pop up there.
Another thing to do is ennable debugging then try to connect the RA|P and see what turns up.
#conf t
#logging level debugging ap-debug <macaddress of AP>
#show log ap-debug 30
or you could debug IKE, but usually I find this isn't necessary
#logging level debugging security subcat ike
#show log security 30
I hope this has given you something to go on.
Post back with any finding. :smileyhappy:
Cheers
James