I wouldn't turn encryption off, ever, unless I really have to. When you say tunnel and get web access I don't understand, but in your AAA section in your controller configuration for your guest profile you should reference an initial role. That initial role should be configured so that you can only access the captive portal. The initial role should have your captive portal profile applied to it. The captive portal profile is configured under layer 3 authentication.
My guess is from what you have said, is that you have allowed http access everywhere on your initial role (like your unauthenticated role). Hence the http redirection is not happening to the captive portal. If your ACL allows http access your captive portal redirection will not work.
Only allow http access to your captive portal! Keep DNS so you can do your cert validation!
I might be taking nonsense though!