Hello Jeremy,
welcome to the forum!
First I just want to say that post belongs under a different board like either "Authentication and Access Control" or "Guest Access".
Then to the technical part.
I assume you have installed a valid public SSL webcertificate on the controller and activated this as Captive Portal Certificate.
Based on the ip-adresses you list I'm assuming this is a Comodo based certificate and in the end use ocsp.comodoca.com to verify the revocation status of the certificates. There is another thread on that here - search for comodo ocsp.
Just to make sure you've done the basics right I'm listing it here.
I would suggest that you create a Destination, create an policy ACL that permits HTTP/HTTPS towards this alias, and then add that to the top of the rule-list for the initial role of your AAA profile (like default profile has logon as initial role).
netdestination "OCSP"
network 91.209.196.0 255.255.255.0
network 91.199.212.0 255.255.255.0
network 178.255.80.0 255.255.255.0
network 149.5.128.0 255.255.255.0
!
-> This adds the possible networks Comodo says they use
-> In GUI you will find this under Stateful Firewall / Destination
ip access-list session "OCSP_ACL"
alias "user" alias "OCSP" "svc-http" permit
alias "user" alias "OCSP" "svc-https" permit
!
-> In GUI you will find this in Acces Control/Policies
user-role "logon"
access-list session "OCSP_ACL" position 1
!
-> Note! OCSP_ACL have to be in addition to the already existing access lists on the "logon" (or whatever role you use) role like logon-control and captiveportal
-> In GUI you will find this in Acces Control, edit the Role, and add Firewall Policies
If you have already done this as I've listed the path for OCSP should be open, and no reason why Aruba should be the culprit.
What error message does IE9 give once it loads? Just a warning that it can't verify the certificate or something else?
Have you tried with another PC or device like iPad? If so - how did that go?
Firefox use it's own Certificate Manager so it might be that Firefox already has the Root certificate in it's trusted root while IE9 doesn't. Tho - with Usertrust or Comodo that seems a bit odd since this should be in trusted root in all Microsoft based units.