There are two parts to this:
1. What is needed to bring up the captive portal
2. What is needed to redirect the user traffic to the explicit proxy after the captive portal is brought up.
#1 should be straightforward and use the standard captive portal and control ACLs. The client would need to be able to resolve DNS, and all http traffic will be redirected to the controller's captive portal on port 8080:
(Aruba7005-US) # show ip access-list captiveportal
ip access-list session captiveportal
captiveportal
-------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 user controller svc-https dst-nat 8081 Low 4
2 user any svc-http dst-nat 8080 Low 4
3 user any svc-https dst-nat 8081 Low 4
4 user any svc-http-proxy1 dst-nat 8088 Low 4
5 user any svc-http-proxy2 dst-nat 8088 Low 4
6 user any svc-http-proxy3 dst-nat 8088 Low 4
The standard logon-control ACL at minimum should allow DNS and DHCP, as well
(Aruba7005-US) # show ip access-list logon-control
ip access-list session logon-control
logon-control
-------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 user any udp 68 deny Low 4
2 any any svc-icmp permit Low 4
3 any any svc-dns permit Low 4
4 any any svc-dhcp permit Low 4
5 any any svc-natt permit Low 4
6 any 169.254.0.0 255.255.0.0 any deny Low 4
7 any 240.0.0.0 240.0.0.0 any deny Low 4
Both of the ACLs above should be combined into an intial role that allows to user to bring up the captive portal.
#2 After the user authenticates with the captive portal, that is when it will be necessary to destination-NAT (translate) all http traffic to the explicit proxy using an ACL in the role you use after the client has authenticated. For example if the proxy is at 10.10.10.10 and the proxy port is 8080 your ACL would look like this for your authenticated client:
alias "user" any "svc-http" dst-nat ip 10.10.10.10 8080
You would do the same thing for https client, but like I warned above, it is quite possible that your proxy will not handle https traffic properly so you might have to try to come up with a workaround for that.