What I've found is the following.
Configure the controller end GRE and map the VLAN to tunnel. Make sure you choose Tunnel Mode 48. I like to use the loopback as the tunnel source but that is up to you.
On the IAP VC end create the GRE tunnel, disable per AP tunnel, and make sure the tunnel mode is 48 also. In the routing profile define 0.0.0.0 0.0.0.0 via the same ip as the GRE tunnel endpoint (e.g the controller loopback).
Now to map the VLAN into the tunnel, go into the DHCP section and define a L2 Centralised DHCP with the VLAN that is to be tunnelled.
Finally create a WLAN and reference the VLAN again as "static"
For corporate traffic you can create another WLAN and just reference a different VLAN that is not defined as L2 centralised in the DHCP section.
Don't ask me why it needs to be this complicated.
Regards
Chris