...
When you re-visit the "Edit IdP" page later from the Institution Overview page, the explanatory texts are condensed in order not to overload the user interface. You'll certainly find your way around without the wizard texts.
Regarding the SSIDs to configure (options "Additional SSID" and "Additional SSID (with TKIP)": eduroam CAT always produces one installer for the SSID eduroam which is configured for both WPA/TKIP and WPA2/AES. You do not have to configure the eduroam SSID. The generated installers for this SSID will possibly be shown on your users' screens as "eduroam (with TKIP)". When their computer chooses this profile for the connection this does NOT mean it is trying to connect via TKIP. The operating system will automatically choose WPA2/AES if that is available at the hotspot.
The reason for still including WPA/TKIP is that your users may roam to other hotspots which may not have made the transition to AES yet. When TKIP is configured, eduroam will continue to work for your users at these hotspots; otherwise, they would have to reconfigure their computer.
Profiles
Profiles are the specific EAP configurations for your user group(s), and installers are always generated for specific profiles. If you only have one user group, the distinction between institution-wide and profile-wide settings does not make a difference. However, many IdPs have different user groups which share some properties, but not all. One example is where on the one hand students have username/password accounts, authenticating with PEAP and generic helpdesk contact points, and on the other hand permanent staff have TLS Client certificates with EAP-TLS and access to a better second-level helpdesk just for them.
...