Changing vlan by specifying in the new role doesn't work for L3 authentication like captive portal.
In the CLI guide for command 'user-role <role> vlan x'
Identifies the VLAN ID or VLAN name to which the user role is
mapped. This parameters works only when using Layer-2
authentication such as 802.1X or MAC address, ESSID, or
encryption type role mapping because these authentications
occur before an IP address is assigned. If a user authenticates
using a Layer-3 mechanism such as VPN or captive portal this
parameter has no effect.
You could probably switch the vlan by having a server derivation rule based on an attribute returned by Clearpass, but I've not tested exactly that for captive portal. You would still need the short initial lease as Colin mentioned though.