MattF, Clearpass is a security box. You can say what IP addresses can and cannot be serviced by the guest page, period, so from a security perspective, you can use https and protect any authentication traffic that you want.
Is there already a site to site VPN for wired traffic between the remote site and the core? If so, maybe the guest traffic can ride than tunnel and get split out in the DMZ. If there is no site to site VPN for wired traffic, you should just use a public ip address for CPPM and protect it, just like everyone else does. Its only for authenticating guest traffic, right? You pretty much do not care about any of the other traffic, so why force all the traffic to go back to the core over a tunnel for guest traffic, when you can just use https? Why build all of that infrastructure and then put redundancy on top of it, just for guest traffic. If that option has not been given, I would certainly present it.