We'd have to assume that the RAIDUS server is sending a reject.
The problem is that the client will not be able to obtain an association to the SSID until some form of authentication has occurred. You would need a form of association in order to display the Captive Portal but this wouldn't have occurred you have not passed the authentication.
I'd consider in the first case separating the Guest traffic entirely. To my knowledge even CPPM can't take action from a 802.1X deny/reject.