Have you seen these docs? They show how to enable/disable MFP along with error descriptions etc;
Enhanced IDS with Management Frame Protection
Management Frame Protection (MFP), which authenticates management frames between Access Points, eliminates several WLAN attacks that arise due to spoofing of authorized devices. CiscoWorks WLSE enables MFP in the network and provides visibility into network events associated with MSP detection/protection.
Understanding Management Frame Protection
Although the data frames passing through an 802.11 network are considered to have excellent authentication and privacy through the protocol enhancements of 802.11i, control and management frames are still extremely vulnerable in a strictly 802.11-standard network. Because control and management frames are unauthenticated, any rogue device can, for example, mimic an access point and tell 802.11 client devices that they are no longer associated to that AP.
Management Frame Protection (MFP) inserts secure authentication information into 802.11 management frames to prevent this type of attack. This feature allows network infrastructure devices (APs and their related servers) to be MFP generators and detectors, essentially cross-checking each other during network operations. The primary network-level management takes place at the Wireless Domain Server (WDS) level, and the managed APs provide both generation and detection capabilities. The WLSE functions as a reporting mechanism by logging alerts, sending email to administrators, and so on.
When MFP is enabled for a network, each MFP-capable detector AP queries the WDS when it first observes a management frame from a given generator AP. The WDS tells the detector whether the generator should be producing MFP frames, and, if so, what its AAA keys should be. If the WDS's expectation of the MFP state of the generator AP is violated, the detector AP sends the WDS an MFP report. As all generator APs' AAA keys are rotated, the WDS informs all detector APs ahead of time to avoid false alarms.