Your RAP whitelist should be fine. That won't change.
Re-address the master first, setting the VRRP as the original address, and the "real" IP as something new. Do this in a booked outage! Allow yourself an hour for comfort and reboots if required.
I then always recommend building the new controller seperately, with it's layer 1 (ports), layer 2 (vlans) and layer 3 (IP config). Then, associate it to the master as a local or backup (whatever you prefer). It will then collect and sync all other config.
You might be better having a standby second controller rather than a local as this will sync RAP whitelists. The only thing you'll loose is the potential for an active-active setup. It's more high availability.
It's all private addressed based on your config, so everything else remains as it is today.