Ok with a little help from some Aruba friends i was able to get this working.
Cisco switch side must have.
aaa authorization config-commands
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
keep in mind depending on the command you want to restrict you may need all commands 1 - 15 in your cisco config.
CPPM
In your enforcement profile
selected service = shell
privilege level = 15
In your commands tab
service type = shell
check enable to permit unmatched commands.
click add
command = show
argument = version
leave the rest default click save and test.
*edit* forgot to mention the wildcards.
The wildcard is .* (period star)
so GigabitEthernet 1/0/.* cover all ports on switch 1.