I am currently working on an ISE project with Aruba wireless. From what you are describing you may want to look into onboarding / BYOD. That user flow has the user log into a onboarding portal and then install profiles on their devices that configures the network settings. From there the user would connect to another SSID (or the same depending on configuration) and use dot1x. You can assign different access rights using user roles that are passed back in the RADIUS accept message.
1. You should configure both, especially if you are using portals. ISE uses CoA to change authorization after the user has authenticated through the portal. CoA can also be used manually or through other flows if you want to remove a device from the network.
2. Integrate ISE with AD. You can then create policies that reference AD groups or other attributes and assign user roles on the controller that match the access requirements.
3. You can either a single SSID or dual SSID configuration. Single SSID the user would connect to the SSID using PEAP and then get redirected to a onboarding page where a specific profile is installed. The profile installed can be determined by the username and AD group. A dual SSID configuration you would have an open SSID that redirects to a BYOD portal that the user can login into. From there they would install a profile and then re-connect to the other, secured SSID.
4. This can be a fairly complicated setup and I can't provide a step by step on how to do it. I'm also learning my way through it. I would suggest you start by reading the Cisco documentation and visit the ISE community forum. They have a lot of great information on there, including how to integrate with Aruba. Here are some links:
https://communities.cisco.com/community/technology/security/pa/ise
https://communities.cisco.com/docs/DOC-64547
https://communities.cisco.com/docs/DOC-68531
https://communities.cisco.com/docs/DOC-64018
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-20/211406-Configure-Guest-Flow-with-ISE-2-0-and-Ar.html