A DNS entry should not be configured in the infrastructure for the fqdn of the Captive Portal Certificate on the controller. The controller automatically intercepts DNS requests for the FQDN of the Captive Portal Certificate from WLAN clients and responds with the ip address of the controller that the client is on. This is used for the initial Captive Portal redirect and Captive Portal Authentication later.
The customer should and must use 2 different public certificates for the Controller Captive Portal and the ClearPass Server. Since the controller will intercept DNS requests for the fqdn of the certificate imported into the captive portal on the controller, the admin will never be able to send clients to the ClearPass server in the Captive Portal Authentication logon page parameter, because the controller will always answer with its ip address, creating a loop.
You should create a DNS entry for the ClearPass server in the infrastructure based on the fqdn of the ClearPass Captive Portal Certificate, however. Please read the Clearpass Certificates 101 document here for details: https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=33288
Multiple Controllers can and should use the same certificate, because the controller always responds to the client with the ip cp-redirect-address of the controller that the client is on for DNS requests for the fqdn of the controller's captive portal certificate. Create the CSR for the controller captive portal certificate offline, however. If you create it on a single controller, the certificate will only work on the controller that you created the CSR on.
If using ArubaOS 8.x with an MM, the admin should import the controller's captive portal certificate by navigating to the highest level folder where all controllers would need access on the MM at Configuration> System> Certificates. Click on the + Sign to Import. Give it a friendly non-cryptic name that means something and make sure the certificate type is ServerCert. After that is saved and pushed, you need to assign that certificate to the Captive Portal of your MDs. You would do this by agan making sure you are at the highest folder of the heirarchy of all the MDs that you want to share the Captive Portal Certificate. Then to go Configuration> System> More> General > Captive Portal Certificate and select the Server Certificate to be the friendly name of the certificate you just imported:
That will make all of your MDs use the same certificate.
Make sure while on this page, you navigate down to each MD to ensure they are all pointing to the certificate you imported and that there is no blue dot on this parameter. If you changed this parameter at the MD level at any time, it will override whatever you did higher up in the hierarchy.
Yes it would cause an issue if the same cert is on clearpass and the MDs, because the controller always intercepts dns requests to the fqdn of the certificate with its own ip address. Also, the form in ClearPass needs to reference the fqdn of the controller when doing the submit for captive portal authentication. Lastly, you need to initially forward Clients to the fqdn of the ClearPass page in the "logon page" parameter of the Captive Portal Authentication profile, and that will not work, if that same fqdn is on the controller certificate.
I hope that helps in any way,...