Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen
If anyone else in the forum has some advice, please reply to this thread.
Most client cards can handle multiple WEP keys, as can the APs.
This means you can divide your total user population into multiple groups so that you do not have to expire everyone key at the same time. Of course you then have multiple user groups to maintain, but if you are after a separation of groups (students vs. faculty, PHBs vs. workers) then this is practical.
Multiple instances of LEAP would just be more of the same. It will help a lot when Cisco delivers long-promised multiple VLAN capabilities for the AP!