Check the user-table to see what role your device is in (show user-table or show user-table | include <ipaddress> or <macaddress>
Then you can issue the command: show rights <user-role-name> which will show you the policies being applied to the device. Look for any rules that might be denying access to the controller's IP.
Another thing to check would be: show datapath session table <ip-address> and look for any "D" flags indicating denied traffic.