You might want to:
1. Add ClearPass to both domains
2. In your service to authenticate 802.1x devices, make sure both domains show up under "authentication sources"
3. Uncheck termination on the controller, so that the server certificate on ClearPass is what all devices see and trust.
4. ClearPass should look for an account for an incoming authentication request in the first authentication source, and if it does not exist, move to the second.
5. You could use the role mapping "if Authentication Source = AD1" then set a role of AD1. Same thing if it is AD2
6 Later in the Enforcement Policy, you can say if Role=AD1, then send back X enforcement profile with one attribute. You can also say, if Role=AD2, then send back Y enforcement policy with a different Radius attribute to differentiate between devices that authenticated with each.
This is all assuming that ClearPass has a public certificate that both sets of clients trust, and can be used to onboard both.