If this is a single site, the default gatway of every device should be the layer 3 switch (site router). The layer 3 switch (site router) would then have a default route pointing to the private ip address of the 3rd party firewall for any internet that is needed. The 3rd party firewall should be able to manage two internet uplinks and determine what path to take, as this will allow failover for the entire site, not just the wireless clients.
The access points should have their own VLAN. WLAN user traffic is tunneled back from access points to the mobility controller over GRE tunnels for enforcement, so the access points should just be on access ports. Access points simply need to be able to send all traffic, management as well as user traffic, back to the controller. The controller will be on a trunk connected to the layer 3 switch. The trunk will be allowing the controller's management VLAN, and any other user VLANs that will be broadcasted by the access points. The controller will switch the user's tunneled traffic to the correct VLAN to the layer 3 switch. Since the users will have a default gateway on the layer 3 switch(router), they will have a path to the internet.
Please let me know if that makes sense.