hi Marcus,
It appears switch 98:f2:b3:90:2d:00 is acting as DHCP relay (10.5.24.1) - was it involved in all your tests as well (e.g. open, psk) ?
There are some small differences in the two captures, perhaps related to this relay. Consider these packet #s from "working cap", where the client is requesting "broadcast dhcp" which is a very windows thing to do and may be the reason for the slightly different behaviour between the devices.
574 - broadcast discover on wifi
577 - broadcast discover packet flooded to sniffer vlan
578 - broadcast offer packet flooded to sniffer vlan, relay=10.5.24.1, dhcp server 10.0.10.21
579 - broadcast offer packet converted and unicasted to client on wifi
584 - broadcast dhcp request from client
587 - broadcast dhcp request flooded to sniffer vlan
588 - broadcast ACK from server flooded to sniffer vlan
589 - broadcast ACK converted and unicast to client on wifi
Now consider the single working cast of "capture", where the client is requesting 'unicast' dhcp.
11009 - broadcast discover from client
11010 - broadcast discover flooded to sniffer vlan
11011 - unicast offer from server, relay=10.5.24.1, dhcp server 10.0.10.21. Note that this time, the offer is only seen at the controller, arriving via vlan 524 over a trunk port
11014 - broadcast dhcp request from client
11015 - broadcast request flooded to sniffer vlan
11016 - unicast DHCP ack from server received on vlan 524 and unicast to client.
So where does this leave us.... It would appear the working/not working cast when the client is not setting the bcast flag on the dhcp packet is due to either the controller or the relay - seems to be one of those two. Without necessarily resorting to doing a packet capture on the trunk port, I would suggest to focus on eliminating the relay as it's the easiest thing to do.
Would it be possible to try adding an ip helper for 10.0.10.21 on the controller as a test to cut 10.5.24.1 out of the equation?
another small difference that I noted is that the working capture has no 802.1q headers inside the vlan 524 traffic, where as the not working one always does - or at least for the clients. If the captures were both made the same way I am not sure why there would be a difference, unless maybe something like a link agg where one link has a wrong native vlan set.