jujusas,
If you already have a captive portal configured on clearpass, you are already sending back rejections to users who do not pass authentication. Your only option is to:
1. Create an HTML page on the Aruba Controller , or ClearPass with your message
2. Create a Captive Portal Authentication profile on the Aruba Controller that has the URL of the controller's or the ClearPass page as the "Login Page" URL
3. Create a role that has the Captive Portal ACL attached and configure the Captive Portal Authentication profile as the profile you created in step 2
4. When your users fail authentication in ClearPass, send back an "accept" in the enforcement profile but also send back and Aruba-User-Role VSA as the name of the role you created in step 3 on the controller.
When the user opens up a browser to see what happened, they will get the reject page you created in step#1. Not pretty and there are better ways to do it, but this is just to get you started.