There is likely Microsoft documentation for your questions. Are you using
SDN 2.0 or 2.1? The architecture changed significantly in 2.1
The last question is more targeted towards Aruba. If you want to encrypt the
XML datastream, you would use HTTPS and you would need to issue a server
certificate to your controllers from the same CA that signs the inside of
your Lync environment.
Some of this is covered in the Aruba VRD:
http://community.arubanetworks.com/t5/Validated-Reference-Design/Lync-Over-Aruba-WiFi/ta-p/199813