Ok, you should have a public trusted certificate installed to your controller, not a private or RADIUS certificate.
For Guest Captive Portal you need:
- Public trusted HTTPS certificate on ClearPass (may be wildcard)
- Public trusted HTTPS certificate on your controller/IAP configured for Captive portal (which may be a wildcard as well, in which case captiveportal-login.yourdomain will be the name to refer to; if you have a multi-SAN certificate, the first SAN will be used by the controller/IAP).
- The ClearPass and controller certificate should be issued on different names. If you use a multi-SAN or wildcard the same certificate can be used as long as it is addressed on different FQDNs for the ClearPass and the controller.
Fully separate from the guest use-case: For EAP authentication, you only need the EAP RADIUS certificate installed on ClearPass. In most cases having an internal/private CA certificate has the preference, and the same should be installed on all ClearPass servers that you have. Only reason to install an EAP certificate on a controller is when you use EAP Termination and that is deprecated as it is a corner-case feature that should be avoided in general.