Can you share the output of the user role?
show rights <NameofRole>
Did you change the rules at all when you changed to split-tunnel? You need to change the action for non-tunneled traffic to "route src-nat" instead of "permit"
For example:
ip access-list session split-tunnel-policy
user any svc-dhcp permit (allows DHCP from controller or corporate LAN)
user any svc-dns permit (allows DNS to tunnel to the corporate LAN)
user alias corp-nets any permit (allows all traffic to corp-alias through tunnel)
user any any route src-nat (everything else is NAT'd out the RAPs IP)
user-role split-tunnel-role
access-list session split-tunnel-policy