A quick update regarding my woes..... My mistake was that when erasing the controllers, before building the cluster, I ran the command: write erase
I should have used: write erase all
The former clears config but not databases from the controller so the whitelist database for cpsec and raps lingers from the old OS.
Because AOS8 doesn't, by default, sync this database across the cluster the stale entries in the various controllers were causing a problem. Issues were pretty weird because all the APs appeared to coming up ok but when user traffic tunnels were setup to one of the three controllers in the cluster they were being rejected as not approved in the whitelist. So the result was some users couldn't connect because the cluster kept load balancing them to that controller.
Fortunately I figured out what was happening pretty quickly, purged the whiltelist-db on all controllers and the problems went away. TAC confirmed this is as a correct diagnosis and reasonable remedy of the problem.
The show whitelist-db command appears to be meaningless at the managed device level. It shows stuff, but in no way reflects how many APs or user tunnels the controller is serving.
Now this problem is fixed I need to revisit the RAPs and how they behave, but for the moment they've all still running on our one remaining 6.5 controller.