1) For 802.1X authentication on SSIDs, the controller performs the actual authentication. For the mesh point(s), this connection is carried across the mesh backhaul ssid and protected via that SSID (in addition to the protection provided natively by the EAP type deployed).
2) For the wireless SSIDs, wireless traffic is encrypted and decrypted at the controller. If the SSID is configured in decrypt-tunnel mode (rather than tunnel mode), then traffic is encrypted/decrypted at the AP.
3) The mesh point will put wireless traffic in GRE tunnel(s) back to the controller. Wired traffic can optionally be tunneled back to the controller, when the wired port profile is also configured for tunnel mode.
4) The mesh backhaul is protected by WPA2/CCMP PSK (AES).
5) The tunnel is not changed between the mesh portal and the controller. See item 2 above, wireless users of encrypted SSIDs have their encrypted 802.11 frames carried over the GRE to the controller for encrypt/decrypt when operating in tunnel mode.