Walled Garden is a method to 'punch holes' in your captive portal, and is based on DNS names. You typically use this to allow your corporate website, or allow traffic from your mobile app through the captive portal without users need to login. The analogy of a walled garden is that you can access everything within the wall, but nothing outside.
Session based ACLs are stateful firewall rules that are on the destination IP/port/domain/application. These ACLs are bound to roles, and are typically used for the access after authentication.
With recent Aruba Instant firmware, you can apply a 'pre-authentication role' for captive portal, which provides you similar functionality as the walled garden in ACL format. So you probably can use either way, where ACLs seem to provide the most flexibility, and Walled Garden is probably easier to configure.