To oversimplify, the controller intercepts http/https traffic so the client must trust the https server certificate that is on the controller. The controller then redirects the client to the ClearPass Captive Portal page and the client must trust that https server certificate as well.
If the client does not trust either certificate, the client browser will show an error and the process will be stopped.