Hi Erudes,
Just give VLAN ID 500 an IP interface on each MD so the captive portal is reachable. Without the portal will not show up at all.
When using a self-signed certificate or from your own PKI CA (aka your own domain or CA server) the guest client do not have the CA root (and or intermediate) certificates in his trust store of the browser, therefor a client cannot trust the captive-portal https webserver certificate. Sure it will work but guest clients will always annoying see a certificate error when reaching the portal, and it's not secure at all and it give a bad user experience.
Thats why a webserver certificate from a public CA is strongly recommended, because the root certificates are default present on the client devices. And therefore they dont see a certificate error when reaching the captive-portal page.
In the captive-portal profile your can even disable https at all, but this is not recommended offcourse.
If you run a demo enviorment you can use a free certificate from "lets encrypt" https://www.sslforfree.com/. Else buy a simple SSL certificate from COMODO or other good provider, its not expensive.
The default URL is captiveportal-login.domain.com
See also this older thread:
https://community.arubanetworks.com/t5/Wireless-Access/How-to-configure-an-IP-to-the-name-captiveportal-login-mysite/td-p/236717