Thanks, got further by adding MAC authentication under AAA profile and adding the correct servers under MAC Authentication Server Group. (Went with just the default MAC auth setting).
I also checked "Download Role from CPPM" from the main AAA profile level but not sure if this is needed.
Seems that if I have the endpoint set up properly in the CPPM, access is granted as it should (I just used default guest profile but that seems to be enough).
One important command to run from mobility controller CLI is 'aaa user delete all' (or narrow it down if it's a production setup) for anyone else reading this later... have to figure out how long this AAA info is cached.
For unknown clients I'm still facing issues with the actual captive portal. I get the correct "jua181 guest-guest-logon" role that redirects to captive portal, and from the client I get redirected to:
https://cppm1.hostname.net/guest/juatest.php?cmd=login&mac=14:ab:c.... url but it keeps reloading it every 2 seconds or so and doesn't show the actual logon page. (We had some kind of working logon page already so it should be working, and I can open it if I copy paste that whole url to another computer's browser)