Hi Seth, thanks for the feedback, I thought about it a bit more, read a bit more and we won't be managing then LAN unfortunately only the wireless so we will only get to the IAPs through the VPN IP (VC IP) for management and/or Airwave, only traffic going through the tunnel would be RTLS back to the datacenter, everything else is straight internet (at least for the Guest SSID).
I don't want nor don't need I think the user subnet to be present to the VPN controller as there is no need for that which is what Distributed L3 and Local, L3 will give me since the scopes are handled by the VPN controller.
Even if I use a local dhcp scope, with the IAP-VPN I can get access to the VC and simply route what I need (RTLS).
There will be a corporate SSID (WPA2) that will strictly give internet access so users will receive a DHCP address from a local VLAN onsite and print from a printer on the same VLAN.
Even I do decide to go with Distributed, L3, it will probably leave me more flexibility in the future but for this type of design not sure it is required.