Make sure you have all three aaa components setup with tacacs servers
authentication
accounting
authorization (i was missing this and it just kept cycling the login)
Also found that these are the Official roles you can send and yes you can send more then one.
https://networkproguide.com/how-to-configure-cisco-wlc-tacacs-cisco-ise-2-4/
"The WLC uses TACACS+ custom attributes defined as role1, role2, etc… with a value that corresponds to the access level you wish to grant within that profile. The available roles are MONITOR, WLAN, CONTROLLER, WIRELESS, SECURITY, MANAGEMENT, COMMAND, ALL, and LOBBY.
The first seven listed roles control access to the respectively named menus in the WLC web user interface. ALL grants read-write to everything, LOBBY grants access to the Lobby feature, which I won’t be covering here.
When configuring a TACACS Profile you can configure multiple roles as multiple custom attributes to allow read-write access to multiple menus and read-only to the rest. For example, if you wanted someone to have access to WLAN and WIRELESS you could create a TACACS Profile with two roles (Role1 and Role2) with values WLAN and WIRELESS respectively like so:
Role1 = WLAN
Role2 = WIRELESS"
for full r/w access
Role1 = ALL