Eap- TLS is a sort of EAP method to authenticate client with the certificate without use of usern-ame an password.

Below example is to use EAP-TLS with controller

EAP-TLS requires digitally signed certificate to authenticate clients.

Certificate required on controller.

1. Device Certificate issue to WLC.

To generate the device certificate.

http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html

And download it to the controller it is vendor device certificate using command line or GUI.In GUI select the download vendor device certificate option

(TACLAB)transfer download mode tftp

(TACLAB) >transfer download datatype eapdevcert
(TACLAB) >transfer download path .
(TACLAB) >transfer download filename final.pem
(TACLAB) >transfer download certpassword check123

(TACLAB) >transfer download serverip 192.168.178.52
(TACLAB) >transfer download start

2. Root Certificate of a CA.

If you have root ca certificate on device ,you can export it using the Firefox.

Path- browser>>Advance>>Encryption>>view certificate>>Export.>>>save it as x.509 file type certificate.

E.g-test.crt

And download it the controller.It is ca certificate.In GUI select the 

(TACLAB)transfer download mode tftp

(TACLAB) >transfer download datatype eapdevcert
(TACLAB) >transfer download path .
(TACLAB) >transfer download filename final.pem
(TACLAB) >transfer download certpassword check123

(TACLAB) >transfer download serverip 192.168.178.52
(TACLAB) >transfer download start

.

Root-CA certificate should be installed on controller as well as clients.

Now configure a profile with EAP-TLS on controller and inherit it to the SSID under advanced section

To configure local eap profile below is the document.

https://mrncciew.com/2013/04/21/configuring-local-eap-on-wlc/.