I assume all the IAPs are in same cluster, and you are not using Zones configuration.
In addition to what Colin described, you can also try the below.
1. V.Imp. This can save a lot of time. find out if the issue is, client/SSID/VLAN/authentication specific. By creating a test SSID on open auth, different VLAN with a windows client and doing the same roam.
2. upon failed roam first figure out, where the client (note down its wireless mac address) got stuck, while associating, while authenitcating, or while doing DHCP. use the below commands to check each phase:
association-
show ap debug mgmt-frames
authentication-
show ap debug auth-trace-buf
DHCP-
debug pkt dump type dhcp
debug pkt dump
Pay careful attention to timestamps to study the logs seen by using the above commands.
all these commands are AP specific, so using them on master IAP will not result into useful info. Use these commands on the slaves in question.
After doing the above you would atleast be able to rule out any IAP issues.
If i were you, i would also upgrade the cluster to latest supported software for the AP platform.