HI,
As per my understanding, you want to Onboard all the clients those are trying to access the Internet so the solution is simple, during Authentication, instead of redirecting to the CP page, redirect it to the Onboarding page (CPPM server) so that user can finish both Authentication and the Onboarding, once the on boarding is finished we can map the same client to a different role so that user can Access the corp resources accordingly.
To get it done, you should allow HTTP and HTTPS traffic to CPPM server in the policy mapped to the initial role.( add "User <CPPM server IP> HTTPS permit" and "User <CPPM server IP> HTTP permit" to the existing CP policy).
Please let me know if you need some help on Onboarding.