Have you try new sw realeas 5.2. In see in Cisco documentation to watch out for port number and you firewall ACL. But there is no info what exactly is going on with port after upgrade from LWAPP to CAPWAP. Do LAP stay with LWAPP port 12222 and 12223 or after conversion and reboot change port (5246 - control, 5247 - data).
When an AP running a version before 5.2 joins a 5.2. WLC, the following process is used:
AP joins the 5.2 controller using LWAPP 12223.
AP downloads 5.2 code and reboots.
AP joins the 5.2 controller using CAPWAP 5246.
If the AP is unsuccessful, it falls back to LWAPP. *note that a CAPWAP AP will be not be allowed to register using LWAPP to a CAPWAP WLC*
So, it's best to open up UDP 5246 and 5247 before the upgrade, and only remove 12222/12223 after the upgrade is complete. That said, keep in mind that if you add new APs to the network that aren't running 5.2, you will need those ports open still.