The rule for Cisco APs to turn on Protection Mode (use of RTS/CTS or CTS-to-Self) is:
If the AP is required to respond to a probe request with a probe response, then protection mode is automatically enabled. To prevent this from happening, simply disable broadcasting the SSID in beacons - which, btw, also disables probe responses when probe requests contain the "broadcast" SSID (which is blank (or null)). The 802.11 standard says that APs are required to respond to probe requests from any station that sends one with the broadcast SSID or the SSID of the AP. Since you would have implemented it such that the AP won't respond to null SSID fields in the probe request, the AP won't have to turn on Protection Mode (which will cost you half of your throughput in an 802.11g environment). Also, any 802.11b associated clients on an 802.11g AP will enable protection mode. Cisco has Association ACLs to prevent accidental associations.
The AP handles turning Protection Mode on/off by itself - this is not something you can manually configure.
IEEE 802.11 section 18.104.22.168 describes the Use_Protection bit of the ERP Information Element. As you noted, the access point (AP) must set this bit if any NonERP station is a member of the basic service set (BSS). Section 9.10 describes the protection mechanisms for ERP-OFDM frames >and< in the third paragraph describes a situation where a vendor >may< set the Use_Protection bit:
"In the case of a BSS composed of only ERP STAs, but with knowledge of a neighboring co-channel BSS having NonERP traffic, the AP may require protection mechanisms to protect the BSSs traffic from interference."
The Use_Protection bit is set and cleared by vendor policy as guided by the IEEE standard.