I don't have the full answer for your question, however I can explain some of the mechanics of client traffic, which may help you understand what is happening a little better.
When a client sends a frame to an AP in a non-cluster environment, the client takes the data, encrypts it, and puts it in an 802.11 frame and transmits it to the AP. When the AP receives the frame, assuming the SSID is forwarding client traffic using tunnel mode (generic routing encapsulation [GRE] mode, which is the typical forwarding mode used on Aruba networks), the AP will put an 802.3 header on that frame, encapsulating the 802.11 frame inside the 802.3 frame, and forward it to the controller. When the frame arrives at the controller, the controller then unencapsulates the frame, extracts the L2 source and destination addresses, unencrypts the frame, and then processes it in the controller firewall (assuming PEF license is installed), and then forwards the frame according to the firewall rules and where the frame is going.
If the client roams from one AP to another AP, with both APs connected to the same controller, when the client roams to the 2nd AP, the AP performs the same task, and the client traffic is handled by the controller in the same way and processed through the same firewall, with firewall state being preserved.
If the client roams from on AP to another AP that is connected to another controller (in a non-cluster environment), when the client roams to AP2, the AP will perform the same process, and forward the frame to the second controller. The process will be the same, however the firewall state is not preserved or shared between the two controllers.
In a cluster environment, let us say that it is a 4 node cluster, meaning 4 controllers, or in ArubaOS 8 terminology, 4 mobility controllers (MC). So the 4 MCs are named MC1, MC2, MC3, and MC4. For your question, we can ignore what happens with the APs, and only need to focus on what happens with the client traffic.
When a client connects to an AP, the client is assigned what is known as a User Anchor Controller (UAC) and a Standby User Anchor Controller (S-UAC). In this example let us say that MC1 is the client's UAC and MC3 is the client's S-UAC. The UAC assignment is not actually passed on to the client, but is passed on to all of the APs (I'll explain the S-UAC later). The UAC tells every AP that if this particular client connects to any AP, the client traffic is to be tunneled to the UAC, MC1 in this example, using the same tunneling logic explained earlier. So this means that no matter what AP the client connects to, assuming the AP is part of the cluster, the user traffic is always forwarded to the same controller. So from a logic and firewall state perspective, the user is always connecting through the same controller, maintaining the same firewall state.
The only time this will change, meaning, the only time the user traffic would be directed to a different controller, is if the client's UAC (MC1 in this example) were to go down or become unreachable.
So what happens if the MC1 goes down. As I stated previously, there is a standy, S-UAC, for each client. When the client connects to the UAC, the top 10 firewall sessions are copied between the UAC and the S-UAC. So, if the station is connected to an AP, the AP tunnels the client traffic to MC1. MC1 mirrors the firewall states with MC3 (again, using this example). If MC1 goes down, when the AP attempts to send the user traffic to MC1 and realizes that it can't, the AP instead, forwards the user traffic to the client's S-UAC, which is MC3. The traffic arrives at MC3, as tunneled traffic, same as explained previously, and ultimately MC3 unencapsulates and unencrypts the traffic, and goes to forward it though the firewall on MC3, and since the firewall sessions were mirrored, the client experiences a stateful failover from one controller to another.
I know this does not answer your question, but hopefully makes you understand the process better so that you can either answer your question yourself, or make you understand the process better when discussing it with someone else.
I hope this helps,