Right more or less got it sorted. Issue was that while the main controller was setup as a Radius client the backup controller was not. And the test AP was working off the backup controller.
So now clients can connect and join the network and all working. The only remaining issue is that the certs that the clients have to accept is 'not verified'
This is the same issue if it is the aruba cert from the controller or the server cert from the radius server.
I am thinking the best option would be to load a cert onto the controller! Thoughts?