OK, but it is reachable from the controller's IP? If so, you can NAT just the CPPM traffic in the logon role, while all other traffic is sent out its normal route. For example:
netdestination CPPM-SERVERS
host x.x.x.x
host y.y.y.y
ip access-list session CPPM-REDIRECT
user alias CPPM-SERVERS svc-http src-nat
user alias CPPM-SERVERS svc-https src-nat
user-role CPPM-LOGON-ROLE
access-list logon-control
access-list CPPM-REDIRECT
access-list captiveportal