Recently i have deployed the same scenario at customer site. Customer wants that guest only get the ip address from external DHCP server but could not be able to access any resources of the network. In this case the how the guest network traffic would be resolved ? so guest traffice would be resolved via global DNS. So on router the customer map the guest VLAN and IP subnet with 8.8.8.8 and 208.67.222.222.
Now 104 IAP VC , I apply the rule on the guest SSID.
Allow any service except to a network 172.16.0.0/16.
This rule will deny each guest to access a customer network resources.
Go to main interface of the IAP-> security->Roles-> now select guest ssid and apply the above rule.
Hope this idea will help you.