I 2nd bjulin's comment about the Validate PMKID parameter - every piece of Aruba literature I've encountered suggests using OKC w/ Validate PMKID for the best combination of both compatibiltiy with improved roaming performance on some devices (if supported). Validate PMKID should only be turned off if all of the clients connecting to the SSID support OKC, which, again Apple products do not support at this time.
In regards to .11k (and .11r), I've created a new SSID in my own environment for testing with many advanced features turned on (still validating PMKID for OKC though). Although few devices actually support .11r/.11k, most modern devices across the board are still able to connect and use the new SSID with no problems, which is good news.
Also, your comment about 11k is correct - it won't improve the roaming speed, just help the client make a better decision about which AP to join. Using this in combination with Client Match is a winning combo.
As you can see from this article (http://support.apple.com/kb/HT5535), modern IOS devices support both 11r and 11k, which makes me hopeful that in the future, OS X will support these as well and other vendors will follow suit.
In light of that experiment, I'm toying with the idea of permanently deploying 2 SSIDs for corporate devices - one with the most compatibility, and one with all of the advanced features enabled. Any devices that can't connect to the advanced SSID can still fall back to the "legacy" SSID. I'm hesitant about this since adding SSIDs wastes airtime, so maybe I'll only do it on 5GHz... I haven't decided yet.
Here is my working sample config with OKC/11r/11k (and a few other tweaks). You can't see from the config, but I've also turned on Airgroup and Client Match. Since OKC w/ Validate PMKID is default, it also doesn't show up. What you do see is I've explicitly denied legacy devices and turned on broadcast filter (Airgroup will take care of the mDNS for Apple TVs). Again, this has been working solidly for all modern devices (with up-to-date drivers for OS X/Windows, mind you). Roaming has not been an issue.
aaa authentication dot1x "Corp-Advanced-auth_dot1x_prof"
voice-aware
!
aaa profile "Corp-Advanced-aaa_prof"
authentication-dot1x "Corp-Advanced-auth_dot1x_prof"
dot1x-default-role "Corp-Advanced-role"
dot1x-server-group "Corp_srvgrp"
!
wlan dot11r-profile "Corp-Advanced-dot11r_prof"
dot11r
!
wlan ht-ssid-profile "Corp-Advanced-htssid_prof"
no legacy-stations
max-tx-a-msdu-count-be 3
max-tx-a-msdu-count-bk 3
max-tx-a-msdu-count-vi 3
!
wlan ssid-profile "Corp-Advanced-ssid_prof"
essid "Corp-Advanced"
opmode wpa2-aes
a-basic-rates 24
a-tx-rates 24 36 48 54
g-basic-rates 24
g-tx-rates 24 36 48 54
wmm
wmm-vo-dscp "46"
wmm-vi-dscp "32"
wmm-be-dscp "0"
wmm-bk-dscp "8"
hide-ssid
deny-bcast
ht-ssid-profile "Corp-Advanced-htssid_prof"
qbss-load-enable
dot11r-profile "Corp-Advanced-dot11r_prof"
!
wlan handover-trigger-profile "Corp-Advanced-handover_trigger_prof"
handover-trigger
handover-threshold 65
!
wlan dot11k-profile "Corp-Advanced-dot11k_prof"
dot11k-enable
force-disassoc
handover-trigger-profile "Corp-Advanced-handover_trigger_prof"
!
wlan virtual-ap "Corp-Advanced-vap_prof"
aaa-profile "Corp-Advanced-aaa_prof"
dot11k-profile "Corp-Advanced-dot11k_prof"
ssid-profile "Corp-Advanced-ssid_prof"
allowed-band a
broadcast-filter all