This is a fairly common question.
The short answer is that Clearpass should have a CN in the cert that matches a resolvable FQDN (at which you point your redirect page). Note that this means registering your Clearpass FQDN of course! Treat your Clearpass like a proper web server in that respect and you'll do fine.
I wouldn't recommend using a private IP as it won't match the FQDN, and secure browsers won't trust it (so you won't achieve a goal of getting rid of the browser warnings).
I have seen people do things with their own DNS servers (private) to resolve this without registering properly (or via an internal FQDN). Again, I don't recommend this as it exposes internal DNS servers to security risks.
Note that in the next couple of years, security for web certs is changing, so Verisign for instance won't issue certs for FQDNs that aren't fully public. I.e. they won't give them out to private domains.
This link has details about it...
http://www.symantec.com/theme.jsp?themeid=cab-forum-changes