If you are using the Aruba controller you need to configure your Initial role this way otherwise as Troy said this is going to fail:
ip access-list session CPPM-CP-ACL
any any svc-dhcp permit
user any svc-dns permit
user any svc-https dst-nat 8081
user any svc-http dst-nat 8080
user alias <CLEARPASS IP> svc-https permit
user alias <CLEARPASS IP> svc-http permit
user-role GUEST-PORTAL-ROLE ---->>> This is the initial role under the guest AAA Profile
access-list session CPPM-CP-ACL
And then on your GUEST-ROLE ---->>> This is the role in the Captive Portal Profile
ip access-list session GUEST-ACL
user any udp 68 deny
any any svc-dhcp permit
user any svc-dns permit
user any svc-https permit
That option you are talking define how do you send authentication through a Secure or Unsecure method and what you control in the initial role is for the redirect which is in this case is to the ClearPass server and once the user passes authentication (HTTPs or HTTP Clear Text) you then can control what the user has access to .
Hope this makes sense.