I've been looking into a solution where you could use the 600AP, I have a security consern though. To limit which AP can associate to the WLC Cisco has the MAC filter. In my opinion I don't consider that save enough, so I was wondering if there's a possibility to involve certificate instead. My think is something like this.
The WLC would have an intermediate certificate from a company root CA.
The 600AP would have a certificate that's verified by the intermediate certifacte on the WLC.
I'm not sure if you even can upload a certifacte to a 600AP to utilize such a feature nor if a WLC can have a intermediate certificate at all. I've roamed around a bit but haven't really found anything one way or the other.