If your network uses 802.1x validation on the wireless ports you will need some mechanism to enable the AP to authenticate on the port.

The default Cisco solution is to configure the AP with a EAP-FAST username and credential and enable a policy for this in ISE

The process is described in Configure Lightweight Access Point as an 802.1x Supplicant

Just for quick reference here is the CLI that can be used on the AP console interface to configure the credential

debug capwap console cli
capwap ap dot1x username <username> password <password>

Update:

Since WLC software version 8.7 it is possible to use EAP-TLS (certificates)

Read about this in 802.1X EAP Supplicant on COS AP. Be aware that 8.7 is a very new release and there are many AP models not supported.