First some constructive critcism, it would signifcantly help if you could slightly format your text, to make it a bit more readable:-)
In a guest captive portal workflow there are usually two relevant certificates, which need to be issued by a Public CA in order to be trusted broadly by wireless clients.
- Guest Portal Certificate (Captive Portal aka Splash Page)
- Web-Server Certificate on Instant AP
With Cloud Guest (CG) Aruba provides 1), signed by Comodo with the CG subscription. You can't replace that certificate as it is tied to your splash page in Cloud Guest.
Instant automatically triggers a redirect to the CG portal, once it sees HTTP/HTTPS connections coming from an unregistered device.
For 2) you can theoretically upload your own publically signed certificate.
Under Global Settings > Certificates, you can upload a custom certificate, which is pushed to your IAPs.
Under Wireless Management > Security > Certificate Usage > Captive Portal you can then select your custom certificate.
Please note, that if you move away from the aruba_default CP portal certificate (signed by DigiCert), and replace it with your own, you need to configure the setting "Override Common Name" in the splash page and specify a string that matches the CN of your new cert.
I don't really see any major benefits of replacing that certs, for pretty much all CG customers, what Aruba provides out of the box works well.