Ok, so by way of wrapping up loose ends I just wanted to update on how the migration went and highlight a couple of gotchas:
A procedure that I tested but which did not work was to simply change the vlan that the AP was sitting on to our AP management vlan, with the idea that eventually the AP would realise it couldn't talk its current master, and would reboot, and as part of the reboot process it would *not* reuse the same master address it had been using, but would pick up the option 43 address that we supply to it via DHCP. But although the AP did pick up a new address for itself on the new vlan it just kept trying to use the old master address and so this method failed. I don't know if this is expected behaviour?
The method we ended up using instead was to add a provisioning profile to each group of APs which included our master address, then once the APs went down the customer reconfigured his switchports onto our AP vlan. The APs were then able to find our master once they rebooted.
I whitelisted all the APs that were being migrated onto our system in advance including the ap-name and ap-group parameters. I did this at about 8am on the morning of the migration, we began shifting APs at about 11 and the first (thankfully small) batch came up as 'Denied' - had the entries timed out? They still showed when I ran 'show whitelist cpsec mac <mac>'. I had to delete them and re-add the entries - which itself was entertaining because sometimes I would delete the entry and re-add it and all would be fine, but other times I would delete it and try to readd the entry but would receive notification that the entry already existed! This would happen whether or not I did a 'wr mem' after deleting the entry and waited for the locals to update. Once the entries were back in however the APs came up with the right AP groups and right AP names, so as long as I added them to the whitelist very shortly before migration it worked well.
Anyway, ultimately the migration was completed in pretty good time and without much drama once the initial whitelist issue was ironed out.
Thanks