You can restrict access to other elements of Clearpass under the Server Administration configuration for the clearpass server. Go to the Network tab and apply ACL's to the other areas i.e. the /tips access.
You can also add allow and deny ACLs on each Clearpass Guest web login page to only allow access from specific hosts or subnets.
This should give you the ability to restrict what particular subnets can see on Clearpass and therefore you shouldn't need to change the port of the web server.