Suppose that the AP and Controller communicate over a L3 network.
Can NAT be performed in between?
For example, suppose that the AP is connected to an ADSL router that performs NAT.
Just to expand on what George had said, when the controller sends the discovery response to an AP the controller's ap-manager interface IP address is embedded in the response. So if this packet gets NATed the embedded address won't. So just make sure they AP can route packets to whatever address is configured on the controller. The controller doesn't need to see the AP's configured address, this one could be NATed.
Yes, I've worked on projects where we did a VPN SEC with a NAT. So long as the AP is routable she will phone home.