I have a couple questions...
What happens when a guest device returns a week or so later? Would they be granted access for another day?
Where is this OTP going to be entered?
I don't think you can do this on the controller either. Either way, I believe you will need CPPM. CPPM can solve these requirements with IAP or controller. The captive portal redirect would have a Click to Accept AND a link to a page for OTP login. That way the user could do either. Also with CPPM logic and MAC caching, you could allow devices with Click to Accept for one day each week. If they try to access the network again within those 7 days, you could redirect to a sponsored guest self registration page, requiring an employee to approve a user's access since they have exceeded the one day per week option.
Hopefully this helps.