Have you tried configuring Centralized DHCP Scopes on the IAPs. Configuration > DHCP Server. You could set up an IP helper, and point DHCP to the servers you want responding. On the IAP you can also apply ACLs to the AP ports as well. See below example of me denying ICMP on the uplink port:
wlan access-list session denyicmp
rule 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0 match icmp any any deny
!
wired-port-profile denyicmp
access-rule-name denyicmp
!
enet0-port-profile denyicmp