The general process is as follows
1 Layer 2 broadcast which isnt much use as it was only supported on the 1000 series access points.
2 Layer 3 broadcast
As this is blocked by the router and the IP helper-address only forwards directed broadcasts, unicasts and 8 UDP ports by default. These are TFTP port 69, DNS port 53, time protocol port 37, netbios name server port 137, netbios datagram server port 138, BOOTP client and server ports 67 and 68, TACACS service port 49.
Therefore you need to explicitly allow prt 12223 LWAPP data protocol and or port 5247 CAPWAP data protocol
Router(config)#interface fa y
Router(config-if)#ip helper-address x.x.x.x
Router(config)ip forward-protocol udp 12223
3 OTAP which should only be used in commissioning as it is/was a security risk now deprecated it was part of the RRM. It is now deprecated since code 6.0 and RRM is encrypted.
4 Locally stored controller IP address
5 DHCP option 43 is used to return the WLC IP address and is vendor specific. This is the IOS command for option 43
ip dhcp pool
Option 43 hex
DHCP can be set on the switch,router or via a DHCP server.
Along with option 43 you can have option 60 which is the vendor class identifier and says only return option 43 if you are sending an ip address to a client that needs it like an access point and loooks like this in IOS.
option 60 ascii "VCI string of the AP"
This shouldn't matter in an enterprise as your aps should be on their own subnet however its handy as thats not always the case and it prevents clients getting uneccessary information.
Options 241 and 120 are not exactly options but sub options and define how the IP address is sent. for everything but the Cisco 1000 series this is 241 which is hex. For the 1000 series its 120 which is ASCII.
6 DNS , configure DNS to returm the controller IP address to a query for CISCO-LWAPP-CONTROLLER@localdomain, also if you are running code 5.2 or above it helps to use CISC-CAPWAP-CONTROLLER@localdomain.
Generally after priming access points I always implement DHCP option 43 and DNS in enterprise deployments as you pretty much know that th access points will home to a controlller when and if they upscale add or replace access points.
The reason for priming is that you can asign ap names, ip addresses and WLC addresses and designate where the access point is to be deployed rather than ending up with hundreds of access points pulling down ip addresses and not knowing where they are.