>...In my opinion, the error always occurs in the same way. But I still don't know what the problem is.
   - Note that for Wireless Debug Analyzer it is advised to input a longer debug session (from a particular client)  to get a  better overview of what is happening , 

 M.

@JPavonM you're misreading the switchport config.  It's REMOVED VLANs not ALLOWED VLANS.  So 55 is allowed - between 54 and 56.

@Heiko Kelling 
1. What version of software are you running on the vWLC?
2. What version of software are you running on the 3504 WLCs? (should be same version as central)
(hint: refer to TAC recommended versions link below - currently should be 8.10.190.0)
3. Do you have mobility configured between the vWLC and the site WLCs?
4. You say "WLANs were switched to FlexConnect" but it's APs not WLANs which are configured for FlexConnect.  WLANs on a FlexConnect AP can be configured for central or local switching and authentication so it's the specifics of the WLAN configuration which matter.
5. Do you have Fast SSID changing enabled?  Who knows why Cisco did not make this default but you have to enable it explicitly otherwise any client switching between SSIDs will get access denied (your mention of switching SSIDs hints that this could be an issue)
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/client_roaming.html#fast-ssid-changing
6.  Make sure your AP groups and Flexconnect groups on the local and central WLCs are identical (same number of identically named and numbered WLANs and in the same order).  There have been a number of bugs around this fixed over the years but we've still seen occasional problems if they are not the same - the AP gets "confused" sometimes.
7.  Obviously you should have a separate flexconnect group for each site.

Going back to your design - if you have on-site and central WLCs why not make the on-site WLC the primary with the central WLC as backup?

Hello @Rich R , thank you very much for your detailed answer and your effort to help me!

to 1. Version 8.8.130.0 is currently running on the central controller and version 8.10.190.0 is running on the local controller at one of the schools. The reason I moved the access point at one school to the local controller was to be able to recreate the problem without affecting the other schools. First I had 8.8.130.0 locally and centrally and as a test I later updated to 8.10.190.0.

to 2. see answer 1.

3. No, I haven't done that at the moment because either all access points are always on the local controller or all access points are always on the central controller. There is no case where both controllers have active access points.

4.Ok sorry. You're right. The access points are all in FlexConnect mode. The SSIDs are all configured to use local switching. This is what the settings look like for each SSID.

5. I currently do not have Fast SSID change activated. However, this is the first setting I will try the next time I am at the school. I came across this again and again during my research and when evaluating my logs. In general, however, you can say that there are problems not only when switching between SSIDs, but also when devices completely reconnect without first being in one of the other SSIDs. I was still thinking about unchecking “Client Exclusion” because clients always seem to end up on the dynamic blacklist. The third point I kept finding was changing the “Management Frame Protection”. But I'm not sure if a change will make a difference. But these are all things that I would like to change and test step by step at the next on-site appointment.

6. I'm relatively sure that there are at least minor differences, but I've always been of the opinion that as soon as the APs switch to a different controller they reload all their settings...or is that not the case?

7. I've already thought about it. I'll plan that for the next appointment too.

"Going back to your design - if you have on-site and central WLCs why not make the on-site WLC the primary with the central WLC as backup?"

This was done at the request of the project performance back then. From my point of view, that makes sense, because the goal is to have central management in one place.

The trouble with having APs switch between WLCs on different software versions is that every time they move (even for a few minutes they must download the software (if they don't already have it on flash) and then reload.  If you're using N+1 then all your WLCs should run the same version.

Again I will say if you have N+1 then AP groups and WLANs should be identical - APs do get confused.  Don't risk differences, it will catch you out eventually.

Just enable Fast SSID switching - I've never heard a reason for disabling it.

Although your WLAN is using flex local switching it's still using central auth.  What authentication method are you using?  You might want to consider using flex local auth too.