I can see that IPSec connectivity is established to the second controller using 'show datapath session table <RAP Public IP>'.
The RAP is provisioned using a DNS record pointing to the first cluster node, but I'm assuming once it connects it will populate its nodelist with both.
I'm trying to observe the impact in the AP 'failing over' to using the other controller as an AP / User Anchor.
It seems the only way to do this may be to reload the active controller during a maintenance window?