Be aware of each feature's change and its implications. RRM related changes takes time to come on effect. Try the '*' mentioned as last resort.
WLC level:
#Increase User idle timeout.
#Enable fast ssid.
#Check virtual ip, required for Mobility.
#RRM/static for power and channel. If most/all APs configured with static/dynamically power showing 1/1* then they've poor/excessive RF coverage.
#Are Mobility up between added Mobility members. If down or unconfigured client will do failover roaming between the APs connected to different wlc.
#Country code - Check Right CC selected for the joined AP.
#Check Datarates 2.4, 5ghz - Enable/Disable based on requirement(Based on channel utilization and coverage).
#Use Cleanair or 3rd party interference detector.
*Disable broadcast key rotation. This will be the last resort.
*WLC uptime, reboot if more than 200 days to free up garbage collection. This will be the last resort.
AP level:
#Are AP getting disconnected from wlc. Check AP uptime.
#Are Radio resetting frequently. Check AP log.
#Are High Channel Utilization observed on APs.
#Are appropriate Antennas connected to AP.
#Are client connecting AP joined to intended WLC and roaming to Autonomous/3rd party AP with similar ssid config.
#Disable RLDP on 'All-APs' or use only on monitor mode APs to avoid client disconnection. It interrupts client communication.
#Disable Auto/Manual Containment that interrupts client communication.
#Check wIDS trap/alert. See if DoS attack detected particularly disassocation/deauthentication.
wlan level:
#Security - If WPA with or without 802.1X, use either wpa-tkip only or wpa2-aes only for simiplicity
#Disable Aironet ie, if trying client is not ccx capable Ex: Apple
#Disable client load balancing, if required(it requires CCX)
#Disable client band select, if single band client - b/g is used and or non ccx
#Disable gtk randomize - It breaks broadcast/multicast on wpa/wpa2 wlan, let it be disabled unless cust had specific requirement.
#Disable dhcp required. It introduces delay in roaming due to force dhcp.
#Check detected Rogue APs. More Rogue AP means more interference on that radio band.
#Session timeout - Disable/Increase timeout.
#Disable client exclusion, if required.
#Disable Tkip countermeasure, if detected.
client level: (For isolated client issues)
#Monitor>> client>> wireless client - check up time
#wireless client side config:
#wmm enabled/disabled
#powersave enabled/disabled
#tweak Roaming Aggressiveness
#change supplicant
#change driver
Traplog:
Enable disassocation/deauth traps, Check the traps for deauth messages.
Msglog:
Check for unusual messages.
Narrow down the issue to wlc config, RF, dhcp, auth, specific client's supplicant/driver issue,...