Hi,
Though the problem description is not clear, let me explain how Aruba technology works.
1. If you bring up an AP on tunnel mode, client traffic will be terminated directly on the controller and controller will map policies to that traffic.
2. Mapping VLAN to that traffic depends on Server derived/Role/VAP,
3. First controller will check whether there is any SDR for VLAN mapping if not it will check Whether any VLAN mapped to the Role (Authenticated) if not it will map the VLAN which is mapped to the VAP (SSID)
bottom line is, On which VLAN-Interface the traffic will hit depends on the above criteria.
Hope I tried to give some clarity, if not please feel free to comeback.