OK, I finally sliced off some time to test this.
I used a client that does OKC, and moved one of my APs to the standby controller.
I associated that client to the AP on the standby and waited for an old user-table entry on the
master to time out. Once it was gone, I started a ping from the client and I unplugged the
standby-attached AP so the station had to roam to an AP that was on the master.
Here's what happened: The master got a 4-way handshake and pulled the correct vlan
from the client without any RADIUS transactions. I can only assume it pulled it from the
standby using some mobility-ish protocol. However, the client was NOT able to communicate,
because it had no user-table entry, and Enforce DHCP was preventing the pings from
creating a user-table entry. I had to manually renew the DHCP lease on the client and
then pings started to work again. I suspect the number of wifi clients that will tell their
dhclient to renew after an OKC roam is close to zero, so I would have to say, turn off
client state sync if you are using Enforce DHCP in an HA setup. Especially if you
are spreading your APs between the master and standby.
To test further, I unplugged the new AP, forcing the client to roam to another AP that was
also on the master. The client never lost a ping during this OKC roam.