Interesting, we had a similar issue with 6.5.3.3 and iOS devices. Working with TAC we believe it was related to 802.11r but in this case we are using 802.1x.
When we did a a show user mac <mac address> on the cli we had a blank spot next to the output for dot1x authserver which lead us to believe that RADUIS was not being initiated by the controller (despite being configured correctly) and most of these users (nearly all of these were iOS devices) were ending up in the denyall state. You can see this by running show user role denyall command on the cli.
In the end we turned off 802.11r and downgraded again to 6.5.3.1 and I understand TAC are working on a permanent fix. What I can't answer is if this is the same problem that relates to a PSK network. So, I suggest you open up a TAC case to look into it.
Let me know if you want any more detail on our situation
Alexander.