TLDR: do not do it, you will regret it!
Not a step by step but..
on controller, configure dot1x SSID as per usual but change it's default dot1x role to a captive portal role. (If you meant to sat WPA2-PSK, then you would use the initial role.)
This captive portal role will only be given after 802.1x auth and will then trigger the portal.
On Clearpass side you need 2 services.
1) basic dot1x service, might want to return the aruba-user-role attribute guest-logon (or whatever captive portal role you use)
2) basic guest user auth.
Mind you, this realy seems pretty useless as you will be authenticating twice.
Are you sure you need this? Guests will bugger you non-stop because they won't trust your radius server. Internal folks will be even worse if forced to do a captive portal auth each and every time.
If you REALY, absolutely, must do this and only after disagreeing 3 times with those forcing this upon you, make sure with step 2 to save something to the endpoint repository and use that next time in service 1 so they don't get your portal every 5 mins thety've been offline.