I cannot tell you exactly what is happening without looking at the configs of the Switches and the WLC you have as I can think of a number of possibilities. For me, it'd be helpful to have that information but more so, the things that you've done. Basically, what are the items you've tried thus far?
SW-A: 10.133.55.1 <---TRUNK---> SW-B: 10.133.55.2
WLC-4404 10.128.55.10
First thoughts though are as follows:
1.) Who is able to ping the WLC?
a.) no one = check the interface on the switch and the WLC interface config, any firewalls
b.) same subnet, 10.128.55.0/24, but no other subnets = check routing
c.) all subnets on one switch but not from another switch = check trunk on SW-A & SW-B
2.) AP and WLC are able to ping each other but AP not showing up in WLC
a.) check DHCP has the proper option 43 (Vendor Specific Info) set which tells the AP what IP the WLC is.
b.) check any firewalls inbetween
c.) create new interface on WLC with the same VLAN subnet as the AP and test
d.) enable ssh on the AP and do a show log to see if anything peculiar sticks out
3.) You've checked all possibilities and as the config stands everything should work
a.) reload the switches, AP's, WLC
b.) pull out the configuration and put the configuration back in specific to the issue
c.) try a different interface on the switch for the WLC
d.) try a different interface on the WLC (maybe create a new one)
e.) get on Cisco.com and use the bugtoolkit to see what bugs are out there for your particular WLC version.
f.) upgrade the WLC version a revision up and test.
I realize that some of my ideas are not really applicable, but I'm just throwing some ideas out there to maybe help give a new perspective on the problem. I've found just taking a break to think about something else and then coming back helps me.
One way to solve this problem is to change the AP connection to a layer 2 trunk with both VLANs on the trunk. You can have two different SSIDs (one for users, one for guests) and each SSID is associated with a VLAN. When a client connects to the Guest SSID, her data goes on VL 200; a regular user's data goes on VL 100.
You will need separate DHCP scopes for each VLAN, either on the AP or a central DHCP server.
Best Answer
Putting the APs and the controller in the same L2 domain is the simplest solution as you don't have to do anything else for them to find one another. If you put the APs on a different subnet then you have to either configure DHCP option 43 on the APs subnet or put in a DNS entry for cisco-capwap-controller.DOMAIN-APs-GET-FROM.DHC. Formerly this was cisco-lwapp-controller.
You'll need to give the secretary either admin or lobby admin access to the WLC so that they can create the logins. It doesn't need an additional interface for guest wifi but you can use one and plug it into the DMZ for better isolation.
Edit: Corrected DHCP option number as @generalnetworkerror pointed out my faulty memory.