While your RAP is attempting to come up, SSH into the controller and execute the command below:
(rap-local) #show datapath session table | include 4500
That will tell you if any UDP 4500 traffic is being seen by the controller. For every "session" coming in, you should see two lines: One for traffic coming into the controller and one leaving the controller back to the RAP. If you do not see any of that traffic, you need to fix your permiter firewall.
Next, type
(rap-local) #show show crypto ipsec sa
That will tell you if your AP is making a security association that is needed to communicate with the controller
If it is not, make sure you have the AP's mac address in the RAP whitelist, AND you have an ipsec pool configured.
Further, you can turn on debugging:
(rap-local)# configure terminal logging level debugging security process crypto
Then type "show log security 50" and examine the output.