Hi Friend,
It is very simple. by default the eth port of the AP will be untrusted hence you are not able to ping over wired port.
when you are tring to reach the AP through the controller . traffic comes through GRE hence you are able to ping the AP from the controller.
Any way through wireless you are not reaching the AP through the eth port hence you are able to ping the AP.
inorder to reach the AP over the wired port, you need to enable the eth port and make it trusted as shown bellow.
Hope you got more clarity on this.
Please feel free for any furhter help on this.