When FlexConnect is in connected mode (i.e. WLC CAPWAP Control tunnel is up) you have two options for EAP-TLS: 1) Local mode EAP-TLS (works either connected or standalone mode). This is where clients are authenticated locally on the Access Points via certificates. As long as certificates are setup in the way outlined in the guide, this will work. 2) Use central auth with a RADIUS server like Cisco ISE setup with EAP-TLS chain in similar fashion. With this option you lose auth with WAN down and auth must traverse the WAN to central so local is a less risky option, but could be a headache to setup (I haven't set this up so not sure).
Mobility Express doesn't seem to support local EAP-TLS so there's a limitation there. It can still support central auth to a RADIUS server over the WAN with local switching if that is an option.