We had the same problem here after upgrading from clearpass 6.4.0 to 6.4.4.
TAC had to add a apiadmin account to clearpass as a workaround.
There was a change in behaviour in CPPM 6.4.3 where aruba implemented authentication between switch/controller and CPPM as mandatory for providing downloadable role’s configuration (cppm hardening)
Switches and controllers supports this authentication from version 7.3.2.5 and 7.4.0.2.
I think it is reprehensible that aruba make changes like this without notify, we had access points down for hours before the problem was solved.