You should use a single public certificate for both. DNS does not matter, because either controller that a user is on will "snoop" for DNS requests for the fqdn of the name in the web certificate and return the ip address of the controller.
For example, if you have a single certificate that you use for both controllers that is captiveportalhost.domain.com, your captive portal authentication profile should have https://captiveportalhost.domain.com/upload/login.html. When the cient requests https://captiveportalhost.domain.com, the controller will see the DNS request and return the ip address of the controller that the user is on. By default the ip address is the controller's management ip address. You can use the "ip cp-redirect-address" command on each controller to modify that ip address to be the ip address of the controller on the guest VLAN.
Long story short, if there is a failover, and APs and clients end up on the backup master, the clients will have the same captive portal authentication profile and when a client does a dns request for http://captiveportalhost.domain.com, the backup master will return its own ip address.
I hope that helps.
One word of Caution: If you intend to put a single captive portal certificate on two controllers, you cannot do the CSR on either controller, because the resulting certificate will be tied to that one controller. You need to do the CSR external to the controller.