Looks like it comes down to an issue with AP70's, cpsec and multiple stand alone master controllers running n+1 redundancy.
Why I only saw 100 AP's well technically I had 109 AP 105 and AP 125 on this controller - all others with AP70's - don't think my scroll back buffer goes back far enough - but I'm gonna take a hunch the 100 AP's I saw were just the ap105's and ap125's
so the issue is that AP70's need to download a cert from the controller - if an ap70 swiches to a backup controller/premptively moves back to home controller with a differnet cert it can get into a state where it is unable to replace the cert from a previous controller. If you are lucky you can manually approve the AP in the whitelist-db (even if auto-cert-prov is enabled).... in other cases looks like console access and purging the AP is required (still needed to manually approve on my provisioning controller)
It also seems somehow dependent upon the cert already installed/controller moving to/from - sometimes It works fine.