I opened a support ticket but there cert order for the pem file did not work for either "certificate type: CA or Captive Portal Server"
What I did get to work was this:
1) Uploaded "Certificate Type: CA"
pem file contained private key and both intermediate CA certs but for some reason only when the 2nd intermediate was placed before the 1st.
This did not resolved the captive portal issue so I have no clue what it did if anything, but was successfully uploaded.
2) Uploaded "Certificate Type: Captive Portal Server"
Pem contained the following in the following order:
-Private key
-Server cert
-1st Intermediate CA
-2nd Intermediate CA
Upload was successful and the Captive Portal secure icon turned green and the acceptance acknowledgement worked fine. Guests can now get to the internet.
The Default Server CA still shows the https://securelogin.arubanetworks.com/ cert info but then shows our vendor CA info and our CP CA info for our public domain right under that. This appears to be correct based on some info I found about internal captive portal versus external captive portal. If we used an external captive portal then we would have needed to edit the securelogin info to reflect securelogin.mydomain.com, but since we are using the internal one this is normal.