So if I understand your question, you have an IAP VLAN, which can reach ClearPass. However, you have a Guest VLAN, which cannot reach ClearPass and the captive portal page is hosted on CPPM?
The Guest user needs to be able to resolve the captive portal page from their VLAN, so is it possible to configure the Data Port on CPPM to be in the Guest user's subnet?
Does the customer know you can manage the guest user's level of access from the Roles assigned in the IAP since it has it's own stateful firewall? So you could permit HTTP/HTTPS access to ClearPass. On CPPM, you can also configure Access Restrictions that prevent any user from the Guest subnet to get to the Policy Manager login page to add additional security.