Part of the problem is the DST of a frame is not always the router's mac but the client mac address. So if the non-Aruba WLAN AP is L2 on the same network, from a traffic flow perspetive you are going to see SRC and DST of the non-Aruba client to the Aruba client and not the macaddr of the non-Aruba AP (it's there because it's L2, but if it's all on the same L2, then everyone is on the same CAM table). So if that is the goal, it would be better to put the non-Aruba WLAN into a separate VLAN, or put the Aruba-clients into their own VLAN. Ultimately though if everything is L2, then you would have to write ACLS that block based on SRC/DST macaddr which likely isn't feasible...
IMHO I think your best options are to move the non-Aruba WLAN APs into their own VLAN. Get rid of the shared L2 between two disparate WLAN systems.