You could put them in a role that denies all layer 3 access if they connect to the other SSIDS, but there is really no way to stop them from associating to the SSID. It's a client decision.
You might want to check the latest Profile Manager from Apple and see if a configuration profile can block certain networks. I know Windows can do this via Group Policy or netsh scripts.