Maybe I misinterpreted the document you referenced "How does AP's respond to ICMP traffic when CPSEC is enabled?".
Requirement:
How does AP's respond to ICMP traffic when CPSEC is enabled?
Solution:
- Ping Request
PC(subnet B) ---ping req---> AP(subnet A) ===>Does not go through Controller
- Ping Reply
AP(subnet A) ---ping reply---> tun0(default route) ---ESP(ipsec)---> Controller ---ping reply---> PC(subnet B)
When we have CPSEC enabled, AP add a default route on themselves (tun 0). This default route points to the IP address of the controller.
Hence, the ping reply goes via the controller.