Is the IAP cluster managed by Airwave or Central? Starting with controller release 6.4.x.x, there is an additional security feature introduced to only allow IAP VPN branches with trusted configurator to register on controller. Based on the symptoms described in the earlier comments, this could possibly be causing an issue.
VPN tunnel does come up, but IAP does not register with the controller, causing client Centralized L2 VLANs to not be registered on controller and leading to clients not getting IP.
This can be manually overriden by disabling IAP trusted branch DB validation if the cluster is not managed by Airwave/Central.
(7240) (config) #iap trusted-branch-db allow-all
All IAP+VPN branches are trusted
(7240) #