We had the same problem here. By changing the policy as stated above seemed to solve the problem. You still have to SSH into the AP and set the director to the IP address of your vSCG. It seemed to work intermittently from then on. Let me know how you get on.