WDS has nothing to do with WPA. WDS is used for the passing of radius to a designated access point, hence stopping the need for all access points authenticating to one radius server. WPA occurs after the user is authenticated. I know this because we're implementing wireless across our entire campus using Cisco 1230's and have already deployed them in 4 buildings. I've successfully setup WDS, with EAP-PEAP with WPA encryption and it works very well.
I also cannot get MAC's running OS 10.3 to connect to our wireless network using WPA. According to our radius logs, the user successfully authenticates via EAP-PEAP but the WPA key process seems to fall over. Are you experiencing the same problems?