This would require more thought with your local Aruba SE BUT have you considered using ClearPass with guest page restrictions? There is a new-ish feature which can limit access to the guest pages and not the entire box. That way, you can allow communication to the server without worrying about any breach of security.
From 6.1 release notes:
CPPM now supports specification of allow and deny lists for access to CPPM / Guest Operator / Insight pages via IP addresses or subnet.
You can also try the virtual controller IP assigned network for the guest SSID. I see your point on the separate network but with firewall policy, instant can really limit the risk.