Check your locations in the controller. Depending on what platform/version of controller you are using this information will be in a different spot. If you have trouble finding it, let me know what your controller is (including software version). If you see a location in red, it means no AP is capable of reaching that location. You will likely what to check the locations table for the specific AP as well. You will see this on the AP status page on a per AP basis.
You likely want to check your switch/router/firewall setup as well. Make sure the switchport the AP is plugged into is a trunk port using 802.1q encapsulation, and also that the specific VLAN is allowed over that trunk port.
Verify that you have a DHCP server capable of responding to the DHCP Discover messages from the clients. This response is also how the AP knows it has access a specific VLAN. The AP will send out it's own discover message, and if it gets an offer then the location will automatically be added the locations table.
Depending on the type of VPN you are using, the traffic allowed to traverse the connection is controlled at the firewall. You can use the Roles to limit access, but ultimately routing will be handled by your routers and/or firewalls.