Tim,
I figured it out. My error. I was using the incorrect ACLs that captures and NAT's the web traffic to the captive portal interface.
So, for others trying to do this, in the initial role of your aaa profile it needs to have the following ACLs. Obiously the net objects may be different but you need to capture the 80 and 443 traffic and NAT it to the controller.
1 any any svc-dns permit Low 4
2 any any svc-dhcp permit Low 4
3 user any udp 68 deny Low 4
4 any any svc-icmp permit Low 4
5 any any svc-natt permit Low 4
6 user any svc-http dst-nat 8080 Low 4
7 user any svc-https dst-nat 8081 Low 4
8 user any svc-http-proxy1 dst-nat 8088 Low 4
9 user any svc-http-proxy2 dst-nat 8088 Low 4
10 user any svc-http-proxy3 dst-nat 8088 Low 4