I tried some things and here are my observations.
To enable logging:
uci set wireless.radio0.log_level=1
uci set wireless.radio1.log_level=1
uci commit wireless
wifi up
mobility_domain ends up in /var/run/hostapd-phy*.conf but it's not the grayed out value that's displayed in Luci (4f57), so it is computed in a different way, maybe what I read elsewhere that it's a hash of the SSID is correct. The values are consistent across all 3 APs though, so that's good.
The logs show WPA: FT authentication already completed - do not start 4-way handshake so I think it's working, at least for some clients (1 iPad so far).
Using the WiFiAnalyzer app on Android I can see WPA2-PSK+FT and RSN-PSK+FT for security, though this particular client does not seem to roam. Not sure at what signal strength clients decide to roam, I haven't seen this one lower than -70dBm.
In general the problem I have with the clients is that they see good signal strength from the AP but they can't reliably "yell" back at the AP (based on the numbers shown on the AP side, the clients have poor signal strength). The answer here might be to reduce the power of the "main" AP a bit to force clients to roam.