Here's the config I'm using:
Controller2 (users in the VLAN100 get tunnelled back to Controller 1)
!
interface vlan 100
ip address 192.168.0.249 255.255.255.0
!
interface tunnel 91
description "Guest Tunnel"
tunnel source 10.30.1.254
tunnel mode gre 0
tunnel destination 10.21.0.65
trusted
mtu 1500
tunnel vlan 100
!
Controller1 (head end, where layer-3 happens for VLAN100)
!
interface vlan 100
ip address 192.168.0.250 255.255.255.0
!
interface tunnel 91
description "Boise Guests"
tunnel source 10.21.0.65
tunnel mode gre 0
tunnel destination 10.30.1.254
tunnel vlan 100
!
I'm using this for guests, so I trust at the far end, and do-not-trust at the head, and they get dropped off on the portal.