I ran into this issue as well in a proof-of-concept environment. For whatever it's worth, I had to put the guest traffic on a VLAN that spanned upstream to a untrusted port on an Aruba controller. It was at the Aruba controller that I applied a wired authentication profile, giving a role to those users. That role had a captive portal authentication profile, which redirected to CPPM for central web auth.
FWIW, if you wanted to do this with Cisco ISE, you'd have to do things similarly for wireless users (i.e., have wireless guests be placed on a vlan, spanned upstream to an 802.1X enabled Cisco switchport wherein central webauth could be performed).
Both CPPM and ISE have flaws when it comes to multivendor support for web auth.