Couple of comments.
1) You should do one combined role map for your 802.1X service that is a match any and then reference the TIPS roles in your enforcement policy. This role map would include identity portions from AD as well as your device tagging. You want to avoid doing this in your enforcement policy. Here's a quick example:
Your enforcement would then simply say:
Tips Role EQUALS DEVICE_SMARTPHONE
AND
Connection: Client-Mac-Address NOT_BELONGS_TO_GROUP HCS-AllowedPhones
Deny Role enforcement profile
2) Since you're using device type as a critical decision maker, you need to enable profiling in the service and create a new enforcement rule for something that isn't profiled.
- In your service, click the Profile Endpoints check box, then go to the Profiler tab, select SmartDevice from the drop down and then click Save.
- On your controller create a new role called PROFILE. This role should only allow DHCP. Create a new enforcement profile referencing that role name using the Aruba-User-Role VSA. Now in your enforcement policy, create a new rule at the top that reads:
Authorization:[Endpoints Repository] Category NOT_EXISTS, <your-"PROFILE"-enforcement-profile>
3) Just curious, are all 3 of your DCs in the same domain? If so, why are you checking group membership for each DC? You should have just one AD auth source per domain.