Hi Kpomer1,
Yes, you need a trusted certificate for the controller to deploy it in a secure manner.
As shown below, the device will post back to the controller in Step 6.
The address where it should post back is specified in the ClearPass Guest Page. By default, it is securelogin.arubanetworks.com and the controller already has "untrusted" certificate for this. By default, we use https for post back (Use Vendor Default)
You will need to install a trusted certificate on the controller, and update your ClearPass guest page. You need to change the "securelogin.arubanetworks.com" to match the common name for the certificate that you installed on your controller. So if you have a certificate for guest.example.com, then set the same on Clearpass.
If you installed a wildcard certificate on your controller *.example.com, then set the captiveportal-login.example.com on ClearPass.