Yes, you can use a subdomain and that is even very common. Most customers use something like: guest.customer.com, login.customer.com, wifi.customer.com, securelogin.customer.com.
For the captive portal login, the name does not even need to be in DNS as the controller will respond to DNS requests for the name in your certificate. If you want the controller WebUI show up without certificate warnings, make sure your internal DNS points for the name in your certificate to the management IP.