First thing, the Initial role in the AAA profile should be a name that looks like "***logon". That Role should have the Captive Portal ACL that redirects port 80 and 443 traffic to the controller. In that role, the Captive Portal Authentication profile should be referenced.
That is what it should be on a basic level.