is this is a new rap? that has never connected to that controller?
Becuase is that is the case you need to open also the TFTP ports
These are the ports you need to open on your ASA
For Remote AP, the following are required:
1- TFTP (UDP 69) - when the AP has corrupted image or to download a new image
2- NATT (UDP 4500)
After the RAP IPSec connection is formed, all PAPI/GRE are tunneled through this IPSec nat-t session.