In my simple test network I am currently using the local radius server on a WDS AP (12.3(7)JA1) and can authenticate an Infrastructure AP and a user using LEAP. I have both the WDS AP and an Infrastructure AP registered with the WDS AP OK, but the WLSE will not authenticate. Running debug on the WDS AP shows a shared key mismatch with the WLSE but I have checked that the credentials are the same on both boxes. Looking at the Radius stats on the WDS AP confirms the share key mismatch but I am at a loss to know why. Whatever key pairs I try on the WLSE and the WDS AP/Radius server results in a share key mismatch. If I get no further tomorrow I will open a TAC case but I'm sure it shouldn't be this difficult. I have set this up before OK with a WLSE and an ACS server and it went smoothly.
With 2.11 and 12.3(7) the biggest problem I have seen is the incomplete arp entry on the WDS primary for the WLSE address. A static arp entry pointing to the default gateway of the WDS Primary is a workaround or proxy arp on the default gateway router interface. You have made sure the wlccp credentials on wlse match what is on the local radius server?
In my test setup there is only the WLSE, a 10/100 hub, 2 APs (1 as WDS and 1 as infrastructure) and a PC with wireless client. I have placed the static arp entry on the WDS and can communicate happily with the WLSE via telnet and web. The problem seems to be getting the WLCCP and Radius protocols to work between the WDS and WLSE. I am going to try to set all Readius shared secrets and passwords to the same on everything and see if that solves the shared key mismatch message I'm getting.