You need supported switches which you already have, ClearPass which you have, and the mobility controllers. AP/PEF licenses too for each switch (stack) you have.
You can choose to create tunnels from a single port manually, or use ClearPass to select which user-roles client gets on a mobility controller. I think you could do also a per port tunneled with ClearPass.
You return "tunneled-node-server-redirect secondary-role" from ClearPass, and that role can be for example "devnet-site1" or if you put them all in the same role just "devnet". You need to have this role on the controller.
We're thinking of doing just tunnels from each port (depenging on the user role returned from clearpass) to mobility controller, and all the traffic between users even in the same switch would traverse the controller. If you want local traffic to stay local, you could probably do some sort of "jump cable" from VLAN to another and tunnel just that, so the whole site would be considered a single tunneled entity.