Do/Can the ACLs configured on the WLC (at Security > Access Control Lists > Access Control Lists) apply to the AP traffic as well? If not, is there somewhere else I could find this functionality?
That depends on the mode your APs are running. If you use LOCAL, then I think yes. If you use Flexconnect, then I think no. I suggest to do the ACLs upstream, meaning at the router/firewall for the ip subnet.
CLI session timeout was tested to be 5 minutes. Is this configurable?
(Cisco Controller) >config sessions timeout ?
[0-160] Enter time in minutes.
CLI session is killed after 10 failed attempts. Is this configurable?
No idea. I anyway suggest to limit the IP access to the WLC on the upstream device.
To add a little bit of context, my organization and I both agree that SSH should be turned off on the AP, but at the same time, want to understand our options as best as possible should the need ever arise.
Below you have referenced some documentation and commands for the controller. Do these settings apply to the AP as well?
I tested the session timeout command on the controller, but this setting does not trickle down to the AP. This configuration doesn't exist on the AP itself.
No I don't think it will tickle down to the AP. They anyway have a very restricted interface when running in CAPWAP mode and don't allow much in the way of configuration (you can change the associated WLC for example). This is another reason to simply disable SSH/Telnet access completely on the AP. Do set an AP password though, there still is the console port.