Just wanted to give an update. We are narrowing down the symptoms. It appears that when the Apple devices such as iPads and iPhones go into power save and disable their radios the controller is aging them out of the user table which I am pretty sure is what is causing them to have to reauthenticate. They are still a known endpoint in ClearPass though and I verified that they are hitting the MAC caching service.
Technically, I guess the controller is behaving normally in a sense. One idea is to extend the global user idle timeout or set an idle timeout on the captive portal profile. An argument has been made that if they are idle that long then do they really need to be connected? As you can guess the political side of that one is thin ice....