@Rasika Nayanajith Thank you for the reply! I appreciate it a lot.

I'll try to be more specific.

As you have already mentioned here https://community.cisco.com/t5/other-wireless-mobility-subjects/mobility-control-amp-data-encryption/m-p/3955950/highlight/true#M101919 , encrypted mobility messaging via CAPWAP DTLS is enabled by 2 commands:

config mobility group member add peer-mac-addr peer-ip-addr group-name encrypt { enable | disable} (which is Secure Mobility - Enabled in GUI)

config mobility group member data-dtls peer-mac-addr { enable | disable} (which is Data Tunnel Encryption - Enabled in GUI)

The same is described in the configuration guide for 8-10 you provided earlier https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/encrypted_mobility_tunnel.html . 

I believe these 2 commands will make the WLCs to use CAPWAP DTLS instead of EoIP for Mobility Data traffic indeed.

What I am asking about is "High Cipher" selection. Please look at the screenshot. I've highlighted additional 3rd option we can use with the previous 2 commands. But I can't find it's description anywhere and this is what I'm asking about.

@Rasika Nayanajith You were right, I've asked TAC about it and they confirmed your version. They created a bug to fix this docomentation, so waiting for announce in next version of Deployment Guide. https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu45944

Thank you for the bug to fix that documentation & give more clear information about those DTLS high ciphers options

Rasika