I think the way to word this is Cisco's Security Group Tagging is their "comparable" solution to Aruba's role-based access controls. If your customer wants "secure labels" to identify the users and devcies, explain to them what a role is and how powerful it can be to secure their devices.
Clearpass doesn't have a comparable solution itself, because ArubaOS (irrespective of ClearPass) has been doing this all along through role-based access controls. ClearPass merely assists with the assignment of those roles through context of the user/device/connection/etc.
Aruba's solution is to assign a role to every device at the time of connection; and apply firewall policies on the controller before its gets on the wire. Aruba doesn't tag things through to every device in a group, because there is no need to; they are already allowed/restricted before they hit those other devices.
Also, this solution is Cisco proprietary....whereas role-based access controls will overlay to any infrastructure.