HI,
Yes we can do this too.
1. create a policy to allow or deny applications and services as shown below,
2. Map this policy to a role and map the role to the AAA profile(default role) which is mapped to the VAP where the required SSID profile is mapped.
3. When somebody selectes this SSID they will be mapped to the default role ( or SDR ) and their application access will be controlled according to the Policy.
Hope got some more clarity,
Please feel free for any further help on this.