It's been a long time since I've updated this post, but I did want to provide some information so that others might gain some use from it in the future:
I did find a way to uniquely identify the traffic on a per-GRE Tunnel basis. I do have additional issues with the post-authentication roles, but that is something that I'm working on several possible workarounds with TAC and is out of scope for this post.
Although traffic coming through the GRE tunnel loses the Aruba-Essid-Name RADIUS attribute, there is another attribute that is introduced since it is now wired access traffic. It is the Aruba-Port-Id attribute and consists of the following format: <ipaddr of dmz>:x/x/x
For example, 10.10.10.123:1759/0/4
The numbers in the port seem to be random but are unique on a per-tunnel basis, so if we have multiple tunnels, we will see multiple Aruba-Port-Id values coming into CPPM.
You can then use that value to match to a Service profile. It is not elegant but the value remains consistent through reboots, upgrades, etc. Scaling this for some companies might be a problem... For example, we have 5 remote controllers, each with 3 GRE tunnels. Those controllers have primary GRE tunnels to one data center and failover GRE tunnels to another data center DMZ controller. This requires us to include 5 x 3 x 2 = 30 values in the CPPM Service Rule lookup!
Hopefully this helps someone in the future!
Rob.