To make it simple, any wlc's that will be a primary, secondary or tertiary WLC for lap's will need to be placed in the same mobility group. Now if you have a guest anchor controller for guest, then that will need to be added in the same mobility group. Bottom line, when users roam from AP to AP from WLC to another even getting tunneled (anchor) the WLC's need to be aware of the roaming and that is what mobility group does.
Anchor is if you want to tunnel users to a specific controller like in a guest wireless situation when the WLC is located in the DMZ. There are other reasons, but this is most likely why.
Yes the Virtual Ip has to be the same on all controllers that are part of a mobility group. Since this is a communication between the wlc's, it is a tunnel that is formed and is forwarded and received through the management interface of the wlc's. So if you are allowing all traffic between the wlc's you should be fine. it is ports 16666 & 16667.