I think I can answer a few of those questions. The reason for 3 services is their are different condiitons that will be met during each authenticatio method. First method is 802.1X so the authentication would be EAP-PEAP or EAP-TLS. Then you have the second method of MAB, which would be authentication method of MAC Auth. You would then have a 3rd authentication which would be Web-auth, so that's why you need the extra service or services depending on what your doing on the captive portal.
In terms of workflow, it's pretty simple:
Switch will process each type based on order and will take the result based on priority, assuming the priority is default (defaults to using the order as priority) it would be something like this:
Step 1: Device -> Switch -> 802.1X request -> CPPM -> AD Lookup (lets assume this fails)
Step 2: Device -> Switch -> MAC Auth -> CPPM -> MAC DB Lookup (lets assume this fails and we return captive portal enforcement)
Step 3: Device -> Switch -> Captive Portal -> CPPM -> Guest Reg or login.
Some switches you can configure the captive portal stuff locally, or you can use CPPM to dynamically push what you need, which is the URL and the dACL forcing access to the captive portal only. Remember the device needs an IP address to get to the captive portal, so the MAC auth will not be a deny access, but an allow with the captive portal enforcement permitting DHCP, DNS, etc.