That is due to the fact that the Apple Captive Portal network assistant is being invoked. Your i-Device (and MAC OSX Lion) will try to reach a URL at apple.com and retrieve a page. If it cannot retrieve it, it will launch the Captive Portal Network Assistant and ask the client to login. What that does is break the redirect functionality you are mentioning. How to deal with that functionality using Amigopod is here: http://www.arubanetworks.com/pdf/technology/Amigopod-CNA-bypass-AppNote.pdf
To deal with that using built-in ArubaOS is probably to allow all traffic to *.apple.com. First, you would turn on the controller's built in DNS server, then turn on lookups. Next you will define an alias of *apple.com:
config t
ip name-server 8.8.8.8
ip domain-name <your company.com>
ip domain-lookup
netdestination apple
name *.apple.com
exit
You would then create a firewall policy that allows all http traffic to the apple alias and push that firewall policy to the top of your "logon" or initial role for your WLAN:
ip access-list session "apple-bypass"
any alias "apple" "svc-http" permit queue low
!
user-role "logon"
access-list session "logon-control" position 2
access-list session "captiveportal" position 3
access-list session "apple-bypass" position 1
logon of course is the initial role that your clients get. It could be <your wlan-logon>. Please insert the correct role in here.
Does that make sense?