The controller uses CN of the certificate in the http 302(temporarily move) message. The client will do a DNS lookup of this name; the controller will intercept this and return the DNS reply with its switch IP. This is how captive portal works.
So the CN of the certificate need to be in FQDN format. Otherwise, the client will NOT trying to resolve it.
Just in case the CN of the certificate is not in the FQDN format, we can use the following workaround:
In the customer DNS server, make sure that in the zone that serves the wirelsss client, there’s a name to match the CN of the controller certificate. The IP address of this CN should be the controller switch IP.
When the wireless user tries to resolve the CN, it will append the domain name. The controller won’t intercept it but the real DNS server will return the correct IP address so the user can still try to connect to the controller and get the captive portal page.