So the IAP + CP Guest already works, great. Also good to hear that the VPN is UP.
Next step would be to set up the routing at the VPN config. You need to configure the route at least to the subnet of the CP server, the gateway address should be the same as the one used as the VPN host address. You can test the connection by logging into the CLI of the IAP and trying to ping the CP server (assuming you are not blocking ICMP along the route).
If the route is OK you need to configre the DHCP server. You can use the centralized L2 access as I mentioned in a previous post. If it is set your client should get IP address from the controller and the traffic should be redirected to the CP guest server.