In this Scenario, the SSID's broadcasted by the AP contains a bridged SSID as well , while the FortiAP profile assigned to this profile onlys contain Tunnel SSID's for both RADIO 1 and RADIO 2. An 'Overridden' message is seen next to the FortiAP profile.

This is because 'set override-vaps' is 'enabled'. This command allows to manually configure VAPs (Virtual Access Point)s on each AP radio on a per-AP basis instead of relying on the WTP profile's defaults. 

To disable the override made by FortiAP for the AP profile, the following changes must be applied on the individual FortiAP's settings.

From the FortiGate GUI:

Under WiFi & Switch Controller -> Managed FortiAPs -> Select the AP and select Edit -> Disable the 'SSIDs' option under Override RADIO 1 and Override Radio 2.

From the FortiGate CLI:

config wireless-controller wtp

    edit "<Serial number of the AP>"

        config radio-1

            set override-vaps disable

        end

        config radio-2

            set override-vaps disable

        end

end

Important note: Once this setting is applied from the CLI, the managed FortiAP will go offline and rejoin the fabric again, but will have no effect when performed from the GUI.

Once the FortiAP is back Online, only Tunnel mode SSIDs will be broadcasted as per the FortiAP profile configuration.