For EAP-TLS which seems to be your case,  MTU can be a problem but on this case it would prevent clients from authenticate.

But in your case, seems to be a configuration problem. Did you compared the configuration from one working AP to the non-working one ?

Yes, 2 of us went over it in detail, the WAP are configured the same. I am focused on the WAN links causing the issue, I don't know enough about the difference from MOE to MPLS but EAP-TLS but I feel that seems to be the culprit....

If the AP have the exactly same config, then, it could be the link. I got into a problem related to the MTU in the past but, in that case, the behavior was a bit different. But, it was WLC and not WAP.

 The problem was fragmentation  on the Load Balancer and we had a IPS in between. 

OK thanks, still digging.

I found in the packet capture the failed attempt is showing VSA (vendor specific attribute) is sending t=WISPr-location-name val=(site name) while the successful one is sending t=Cisco-AVPair val=service-type-framed.

trying to find the reason why.

I saw this information and that's why I think that the config is not ok, but as you said they are the same on both sides.  I would correlated this parameter change to a link. 

 I will waiting on your new findings

Sounds promissor. But then you have differents AP versions? Otherwise this would affect your whole network

That was the problem, one of those famous "undocumented features". The reason it doesn't affect the entire network is because we are using WLC in our main HQ LAN. We are only using autonomous WAP in our branch locations. The command was already on the WAP we had on the WAN test lab, it must have been a newer WAP that was shipped with the command.

We did compare the radios though GUI but this is an undocumented command as a workaround to the bug i listed so we had to enable it on the WAP that is at the branch location.

For anyone reading this thread later the command is:
dot11 aaa authentication attributes service framed

So lesson learned - don't glance at a GUI and say "they're configured the same"!  Always look at the actual config and compare them side by side, or use any of the numerous file compare tools to diff the configs.  Apart from expected differences like IP addresses and descriptions you'd expect the configs to be more or less identical and you'll quickly spot any difference that way.

Just to add - while WAN links can make a difference to radius because it's UDP and MTU can come into play - a WAN link would never change the contents of a radius packet so if different parameters are being sent that must always be from the source of the packet.