Its not manditory/required to have public signed certificate to be installed on IAP for Clearpass Guest.
In clearpass, we have two certificates https/radius. We can have self-singed for https, if you are OK with client brower warning messages but make sure to have public singed radius certificate which is used for EAP-TLS/EAP-PEAP authentication.
Regards,
Pavan