There are a couple of ways to open your ACL rules for the user role that presents your captive portal.
I went for the ugly method of doing individual IP addresses as some of the OCSP names are some form of round robin DNS. But there is a way to do it based on DNS, and would be the easiest way. I believe that it is described in the User Guide. I haven't gotten around to moving my configuration over to a DNS based but it seems like a much eaiser thing to maintain.
If you can't find the instructions, let me know, and I will dig around for them.
The cert you are using for the Captive Portal should have the DNS name of the OCSP server that you need to open up.