I'm having a similar issue but i believe it's setup right.
I have the L3 auth setup - default role is the guest-cp-role and default guest role is also the same (just testing for now - simply want to get to captive portal web). Login page is set to https://ip
Under the AAA Profile I have initial role, MAC role, and 802.1X role all set to guest-cp-role
The guest-cp-role has the captive portal L3 auth under it and allows DHCP and 443 traffic only to that captive portal host.
I get on, am able to get an IP from that network, but can't telnet on 443 to that box or anything... any ideas on what I could've missed? Thank you!