I have a new deployment, using:

Fortigate 120G Controller v7.4.9 build2829

and
FP231F-v7.6.0-build0894

After a lot testing, I got that the FortiAP GUI is "click sensitive", as the click order of the checkboxes, affects the dtls encryption policies, so I stick with the cfg -a AP_DATA_CHAN_SEC=ipsec-sn,ipsec,dtls,clear in AP

But in the controller...
Im typing : set dtls-policy ipsec-sn-vpn ipsec-vpn dtls-enabled clear-text

And still, showing clear-text first (in fact, the exact reverse oder I want)

config wireless-controller wtp-profile

    edit "MyCustomProfile"

        set dtls-policy clear-text dtls-enabled ipsec-vpn ipsec-sn-vpn

    end

Ok, this could be only a "quirck", being ignored by the internal logic of using the most secure option first, regardless of the order shown in the CLI

But... the sad story .. the channel is CLEAR-TEXT!!!!!!!!!

Why is that?

What I want?
1) Use all options available on AP
2) use all options Available on Controller
3) use the most secure option possible and use clear-text only as last resort

Why, it´s not working properly?