Is the ISA server doing NAT for you or do you have a public IP on the controller (or is some other device doing NAT)?
Do you have a default route on the controller pointing back to the ISA server?
Do a "show log security all" and "show log system all" and look for the IP and MAC of the RAP. See if you see any messages that would help debug this.
Are you sure you have the format of the RAP MAC address right in the DB? Do a "show local-userdb-ap" and make sure the MAC is correct (I think you have already done this though..). It should be all lower case and have ":"s between every 2 characters.
Sorry if you have already done some of this, but we have to start at the start to get to the bottom of it.