To clarify, your the three options you presented:
PEAP-MSCHAPv2 - Certificate on RADIUS server only
EAP-TLS - Certificate on RADIUS Server and Client
EAP-TTLS - Certificate on RADIUS Server only; similar to PEAP (EAP-TTLS is not supported on Windows XP or 7 without an additional supplicant, MIcrosoft has added it in Windows 8)
On the IAP (or controller if it controller based), the SSID is setup as WPA2-Enterprise, the authentication types are not relevant (unless terminating the tunnel). The RADIUS server is the one that will determine who has access based on policies and supported authentication types; EAP-TTLS, EAP-TLS, etc.....
You may need to setup multiple RADIUS server entries with differing NAS Identifiers for each SSID to differentiate the request coming from the IAPs.....that way the RADIUS server can determine which SSID the client is connecting from. If you have ClearPass or another RADIUS server that can import Aruba VSAs, you can use the Aruba-Essid-Name attribute to see the SSID name in the RADIUS request.