Separating the internal ClearPass servers (AAA, AD integration) and DMZ ClearPass servers (Guest, OnBoard) is where most security conscious deployments end up with.
If you don't use the guest registration workflows, and use operators from inside the organization (from the trusted network) to create guest accounts, you can use the built-in captive portal of the controller, but probably even better is to host your captive portal on an external web server that is white-listed for the captive portal role. If you host that page on the corporate website, you even have all branding included.
Required HTML code for the authentication post can be retrieved from the internal captive portal of you IAP or controller, or check this post to get you started.
Having a ClearPass for guest in the DMZ allows you to do the fancy guest workflows and provide better user feedback on authentication errors like bad password, too many devices, traffic volume exceeded.