Sorry for the late reply. I was taken off the project for a while and only got envolved again on Thursday.
We ended up with a support case, lots of calls back and forward with Aruba support and a potential bug that was sometimes replicated and sometimes not in their lab.
In the end we had to flatten the IAP virtual controller and reset the IAPs to factory and do a cluster reset-database on the CPPM.
We got things working but then hit a number of small bumps along the way.
The original plan was to setup a single SSID with captive portal for both guest and employees. Guests to self register, employees to be AD authenticated and that was fine. What we couldn't do was come up with any method for moving guests from the default vlan to vlan 200 post authentication.
Then we were going to do 2 SSIDs with seperate captive portals, but found the the URL for the captive portal on the IAP virtual controller is a global setting so both SSIDs were served the same page regardless. We also found that after 5-10 minutes of inactivity, employees were being disconnected and had to enter there AD credentials again to continue access. Not ideal.
So the next best option was 2 SSIDs with the employee one using 802.1x, but couldn't get past the need to modify the profile for each users laptop to be able to accept the GoDaddy cert we had installed.
Finally we ended up with a guest SSID with self-registration and an employee SSID with WPA2 Personal. Not ideal but at least something is working now.
Would I be right in thinking that the path we really wanted to go down was BYOD via Onboarding so that staff could register their own devices, get a certificate installed and then the device would automatically connect for the life of the certificate?
If Onboarding is indeed the holy grail for our employee users, how would we publish a device registration page on the employee SSID and not the guest SSID?
I'm left wondering how many of these things are possible if any and whether a mobility controller would have been the answer to some of the issues.