Hey,
here are my answers of your questions:
Can you share your ACL rules under the role ?
initial user role: guest-selfreg-cppm-cp (logon-control, allow-cppm, captive portal).
Logon-control and captive-portal are default policies.
allow-cppm = allow http and https to CPPM IP(s)
Can you confirm that the device is getting the correct DNS server?
Yes, all of the dievices get the same DNS Server IP
Can you reach clearpass using the IP instead of the dns name?
yes, i can
Did you enabled the apple CNA?
no, not at the moment. but this afternoon for testing purposes - without any difference in the test result.