Typically, with a wireless controller, your WAPs will be in a VLAN specifically to manage the WAPs, and it will not be the same as a user data VLAN. The users on the WAPs will get assigned a user data VLAN by the controller, and the WAPs will tunnel the user data via a CAPWAP tunnel to the controller, which will decapsulate the data and place it on the correct data VLAN.
A controller could have multiple user data VLANs, each with its own SSID, with which the WAPs work. Each WAP could advertise all or some of the SSIDs, depending on how the controller configures each WAP. The WAPs get their configurations from the controller; they are not configured individually.
I would like to mention that not every controller will tunnel traffic back to the controller. Alot of controllers will allow you to bridge at the access point, which means that once it has connected to the AP, it will use the specified VLAN to continue on it's journey on the network without having to go to the controller. So if you wanted to get out of the Internet, it will simply go to it's default gateway rather than the controller which will route the traffic to the gateway. This eliminates the controller as a potential bottleneck