In the initial role, you should have an ACL that looks something like:
any any svc-http dst-nat
any any svc-https dst-nat
If you remove those rules, the controller won't automatically intercept http/https requests. You would have to use the URL "securelogin.arubanetworks.com/auth/index.html" (if you use a custom cert, change "securelogin.arubanetworks.com" to the device name in your cert) to get the client to view the captive portal page.
You will also have to add a rule that allows the user to talk to the controllers "controller-ip" so that the page can be displayed. You can get the controller-ip from the command "show controller-ip", assuming you are running a fairly new ArubaOS.