- Review these , check if you can find anything relevant :  

                  https://bst.cloudapps.cisco.com/bugsearch?pf=prdNm&kw=DTLS%20Error&bt=custV&sb=anfr&prdNam=Cisco%20Catalyst%209800%20Series%20Wireless%20Controllers

 M.

Which 9800 platform and the IOS-XE code are you running? Also post the complete output from console connected to the AP.

Also did you check that the WLC is syncing to a NTP server and the time is correct.

Thanks for your message @Arshad Safrulla @marce1000 @MHM Cisco World 

I have Cisco Wlc 9800-L-F version  Software (C9800_IOSXE-K9), Version 17.3.4c

We have an extract of the log of the AP model 9115AXE who are not able to join the CT9800

May 11 17:55:50 kernel: [*05/11/2022 17:55:50.1650] upgrade.sh: Cleanup tmp files ...
May 11 17:55:50 kernel: [*05/11/2022 17:55:50.1840] Discarding msg CAPWAP_WTP_EVENT_REQUEST(type 9) in CAPWAP state: DTLS Teardown(4).
May 11 17:55:50 kernel: [*05/11/2022 17:55:50.1840] Discarding msg CAPWAP_WTP_EVENT_REQUEST(type 9) in CAPWAP state: DTLS Teardown(4).
May 11 17:55:54 kernel: [*05/11/2022 17:55:54.7810] No more AP manager addresses remain..
May 11 17:55:54 kernel: [*05/11/2022 17:55:54.7810] No valid AP manager found for controller Wlc-Zit (ip: 192.168.1.210)
May 11 17:55:54 kernel: [*05/11/2022 17:55:54.7810] Failed to join controller Wlc-Zit.
May 11 17:55:54 kernel: [*05/11/2022 17:55:54.7810] Failed to join controller.
May 11 17:56:04 kernel: [*05/11/2022 17:56:04.7860] systemd[1]: Starting dhcpv6 client watcher...
May 11 17:56:04 kernel: [*05/11/2022 17:56:04.7970] systemd[1]: Stopping DHCPv6 client...
May 11 17:56:04 kernel: [*05/11/2022 17:56:04.8010] systemd[1]: Starting DHCPv6 client...
May 11 17:56:04 kernel: [*05/11/2022 17:56:04.8340] systemd[1]: Started DHCPv6 client.
May 11 17:56:04 kernel: [*05/11/2022 17:56:04.8510] systemd[1]: Started dhcpv6 client watcher.
May 11 17:56:14 kernel: [*05/11/2022 17:56:14.7840]
May 11 17:56:14 kernel: [*05/11/2022 17:56:14.7840] CAPWAP State: Discovery
May 11 17:56:14 kernel: [*05/11/2022 17:56:14.7860] Got WLC address 192.168.1.210 from DHCP.
May 11 17:56:14 kernel: [*05/11/2022 17:56:14.7860] Got log server settings(192.168.1.133 ) from DHCP.
May 11 17:56:14 kernel: [*05/11/2022 17:56:14.7860] IP DNS query for CISCO-CAPWAP-CONTROLLER.zit.com
May 11 17:56:14 kernel: [*05/11/2022 17:56:14.7880] systemd[1]: Starting dhcpv6 client watcher...
May 11 17:56:14 kernel: [*05/11/2022 17:56:14.8010] systemd[1]: Stopping DHCPv6 client...
May 11 17:56:14 kernel: [*05/11/2022 17:56:14.8050] systemd[1]: Starting DHCPv6 client...
May 11 17:56:14 kernel: [*05/11/2022 17:56:14.8260] Discovery Request sent to 192.168.1.210 , discovery type STATIC_CONFIG(1)
May 11 17:56:14 kernel: [*05/11/2022 17:56:14.8320] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)
May 11 17:56:14 kernel: [*05/11/2022 17:56:14.8390] systemd[1]: Started DHCPv6 client.
May 11 17:56:14 kernel: [*05/11/2022 17:56:14.8490] Discovery Response from 192.168.1.210
May 11 17:56:14 kernel: [*05/11/2022 17:56:14.8500] Discovery Response from 192.168.1.210
May 11 17:56:14 kernel: [*05/11/2022 17:56:14.8620] systemd[1]: Started dhcpv6 client watcher.
May 11 17:56:22 sshd[26839]: Connection closed by 192.168.81.5 port 58060 [preauth]
May 11 17:56:25 kernel: [*05/11/2022 17:56:25.0000]
May 11 17:56:25 kernel: [*05/11/2022 17:56:25.0000] CAPWAP State: DTLS Setup
May 11 17:56:25 kernel: [*05/11/2022 17:56:25.3450] dtls_process_packet: DTLS Error: 1051
May 11 17:56:25 kernel: [*05/11/2022 17:56:25.3450] dtls_process_packet: The controller shut down the DTLS connection.
May 11 17:56:25 kernel: [*05/11/2022 17:56:25.3450] dtls_process_packet: Please verify that the AP certificate is valid and has not expired.
May 11 17:57:22 kernel: [*05/11/2022 17:57:22.0360]
May 11 17:57:22 kernel: [*05/11/2022 17:57:22.0360] CAPWAP State: DTLS Teardown
May 11 17:57:22 upgrade: Script called with args:[ABORT]
May 11 17:57:22 kernel: [*05/11/2022 17:57:22.1110] upgrade.sh: Script called with args:[ABORT]
May 11 17:57:22 kernel: [*05/11/2022 17:57:22.1510] do ABORT, part2 is active part
May 11 17:57:22 upgrade: Cleanup tmp files ...

@MHM Cisco World that command is for AireOS - this is 9800!

As per https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html 

Solution for Expired AP Certificates and/or for Scenario of Encrypted Mobility Tunnels That Fail to Form

C9800 Command to Accept Expired Certificates

configure terminal
crypto pki certificate map map1 1
 issuer-name co cisco manufacturing ca
crypto pki certificate map map1 2
 issuer-name co act2 sudi ca

crypto pki trustpool policy
 match certificate map1 allow expired-certificate
    
exit

Create a Certificate Map and Add the Rules

configure terminal
crypto pki certificate map map1 1
issuer-name co Cisco Manufacturing CA

Use the Certificate Map Under the Trustpool Policy

configure terminal
crypto pki trustpool policy
match certificate map1 allow expired-certificate

Note: You can add more rules and filters under the same map. The rule mentioned in the previous configuration specifies that any certificate whose issuer-name contains Cisco Manufacturing CA (case insensitive) is selected under this map.

But no 9115 should have an expired cert so this is more likely invalid time on WLC (is NTP configured and working?) or something else.

Get debugs and packet capture on the WLC at the same time to see what the actual problem is.