Michael,
You can, in theory, switch VLANs on a captive portal authentication. For Aruba, return the VLAN with the captive portal authentication from your authentication server.
However, realize that captive portal requires a valid IP address on the client. If you switch VLANs to a different VLAN before - and after authentication, your client will still have the same IP for the old VLAN, resulting in loss of connectivity.
Switching VLANs after clients received IP addresses is a problematic thing in general. Clients typically don't like VLAN switches by the network.
Some report that setting the DHCP lease-time very short (10-20 seconds) may work as the client will then renew the IP every time; however this approach is a bit flakey.
With Aruba WLAN, the better solution is to use different roles and put access-lists and QoS on those roles. The roles may switch and change the access while client remains in the same VLAN subnet; which is probably the result that you want to achieve.
Herman