Just configure your firewall policies for the roles on that SSID so that they cannot talk to other networks. The AP wll do the firewalling for you. When you say they cannot see any other network, do you mean even the Internet?? Two examples below.
The following is an example to block other networks (Internet is allowed):
netdestination BLOCK-NETS
network x.x.x.x y.y.y.y
network x.x.x.x y.y.y.y
ip access-list session BLOCK-OTHER-NETS
user alias BLOCK-NETS any deny
user-role BRIDGE-USER
access-list session BLOCK-OTHER-NETS
access-list session allowall
The following is an example to allow only local communication; nothing else:
netdestination BRIDGE-NETS
network x.x.x.x y.y.y.y
network x.x.x.x y.y.y.y
ip access-list session BRIDGE-NET-ACCESS
user alias BRIDGE-NETS any permit
alias BRIDGE-NETS user any permit
user-role BRIDGE-USER
access-list session BRIDGE-NET-ACCESS