I think I'd be inclined to do the following, which assumes those Aruba APs are doing DHCP...
Modify the role (that comes as a result of ingress into the controller untrusted port and aaa wired profile) to accomodate the following...
By rights, the AP will be using GRE. So you could just add an ACL to the role, which allows GRE from "users" (alias) to the controller IP (to which the AP is attaching). Assume your APs are able to discover the controller via DNS or maybe ADP?
If you've a PEF installed, you should fine an ACL called "ap-acl". If you add this to the role, that would work too. But (as it adds lots of open ports)...
What I can't tell without seeing the whole controller config, is whether this pokes any vulnerabilities in your security design overall!