Hello,
I believe that Papi and Secure Papi use the same port, as you mentioned 8211. (Unsure on the port)
"PAPI Enhanced Security configuration provides protection to Aruba devices, AirWave, and ALE against malicious users sending fake messages that result in security challenges"
This is done by using a key to authenticate any messages sent. If the key doesn't match then it will be dropped/ignored. Please see the below link I found.
https://www.arubanetworks.com/techdocs/ArubaOS_84_Web_Help/content/arubaframestyles/papi%20enhanced%20security/config_papi_enhanc_secur_feat.htm
In my personal opinion - Using Secure Papi is only necessary when the appropriate network restrictions are not in place and users can access certain VLANs were "approved" Aruba devices sit, I.E a user being able to access the AP VLAN. If users can access the AP VLAN then i would suggest tightening the security so they cant, and if you are unable to then enabling Papi enhanced security.
Thanks