The deployment model of the vWLC is FlexConnect, meaning you will have the APs drop off the clients directly on the Ethernet port. Thus, to keep users separated, you map each of your SSIDs to a VLAN (remember to enable VLAN support on the APs) - the easiest and most scalable way to achieve this is by using FlexConnect groups.
The easiest way to reliably discover the controller is to use option 43. Once the APs have discovered the controller and successfully connected to it, you can choose to statically configure the controller on the APs. This way you don't rely on DHCP in the future. You might be able to use the broadcast forwarding method (ip forward-protocol udp 5246) on the switch with the SVI for the VLAN, but in the past, it has been flaky on some platforms, so I wouldn't use it without intensive testing to ensure it works.
By default, the APs will use the native VLAN (untagged) for DHCP and controller discovery, so remember to set the native VLAN on the switch ports to an appropriate VLAN. You can use the floor-specific VLAN for this, as you can use the same VLAN for client traffic. If you are more security focused, you can create a dedicated VLAN for AP management, or even, depending on the number of APs, have a dedicated VLAN per floor. This way it will be easier for you to control who can access the APs, and which subnets can communicate with the controller.