If your network uses 802.1x validation on the wireless ports you will need some mechanism to enable the AP to authenticate on the port.
The default Cisco solution is to configure the AP with a EAP-FAST username and credential and enable a policy for this in ISE
The process is described in Configure Lightweight Access Point as an 802.1x Supplicant
Just for quick reference here is the CLI that can be used on the AP console interface to configure the credential
debug capwap console cli capwap ap dot1x username <username> password <password>
Update:
Since WLC software version 8.7 it is possible to use EAP-TLS (certificates)
Read about this in 802.1X EAP Supplicant on COS AP. Be aware that 8.7 is a very new release and there are many AP models not supported.