You could offload the AP traffic locally and use QoS to ensure the management tunnel traffic is preferred above the general WiFi, data, traffic.
My understanding is a CAPSMAN architecture creates a management tunnel and optionally tunnels all the data back to the controller under a second tunnel. I'm suggesting not tunneling the data back and protecting that management tunnel.
CAPSMAN appears to use UDP5246 and UDP5247. I'm not sure if only one of those is used for the management tunnel. You can use the port numbers to identify the traffic. You also could ensure other traffic reaches the manager reliably, like ICMP echo requests for example.
References:
https://wiki.mikrotik.com/wiki/Manual:C ... figuration
https://wiki.mikrotik.com/wiki/Manual:C ... rding_Mode