Well, if you're doing normal guest captive portal with Controller Initiated login then CoA doesn't come into account during this first login.
Since you have CPPM VIP I'm assuming this this a CPPM cluster setup using Publisher - Subscriber as Standby Publisher. Can you verify that the cluster is in sync and that your cppm1 is designated Publisher?
Any related entries in the Access Tracker and Event viewer you can share?
Other thoughts..
What you describe tho is a common scenario when Radius doesn't go through, is rejected due to missing/wrong Radius config (secret, wrong controller IP used as device etc), the correct service doesn't hit.
-> Is there perhaps some firewall/access list denying Radius from Controller to the VIP?
Anything in the logs on the controller?