Can the problem be consistently reproduced?
When you have a client device that gets in this state where the captive portal is not displayed, can to get to the captive portal if you manually open a web browser on the affected device and enter your captive portal's complete URL in the browser?
Also, when the device is connected, can you capture the output from the "show user" cli command on the controller in order to identify the connection, IP address, and current role. Then please capture "show rights" for the role that's listed so that we can identify what might be stopping the portal from triggering.