Whats best practice ? Is it better to have the WCS on the same vlan as the controller(s)
Given the fact that it is snmp traffic, the WCS to WLC snmp read/writes should be confined to a subnet(s) that are secured by ACLs/firewalls/rfc1918 address space, yada yada....
One way to do it is to place the WCS behind a firewall on the same or reachable subnet as the WLC service or management ports. I prefer using the service port on the WLC for the WCS snmp traffic, this way I can prune that vlan off the switch trunk ports that the WLC connect to as well as put it in a subnet that is away from prying eyes. I have had it working just fine since 3.0.2x all the way up to the latest rev this way.
the controller will touch an additional vlan for each dynamic interface you create for wlans
You can also dual home the WCS server, but the default option on WCS install/upgrade is to bind to one interface (it will detect & prompt in regards to multiple interfaces - at least on the Linux version).
Also don't forget to lock down https access to WCS web frontend as well