This is what I have as an example.
user-role role_PreAuth_Visiteur
captive-portal "Visiteur-cp_prof"
access-list session global-sacl
access-list session apprf-role_PreAuth_Visiteur-sacl
access-list session logon-control
access-list session CPPMAccess
access-list session captiveportal
!
ip access-list session CPPMAccess
any alias clearpass-servers svc-http permit
any alias clearpass-servers svc-https permit
!
The alias 'clearpass-servers' are my CPPM IPs.
Logon-control and captiveportal ACLs are the built in ACLs that I am reusing.