well, I think this would be the wrong order. First, you should authenticate the port with the IAP as well, but here you can assign the untagged management VLAN and the tagged user VLAN's. Therefore, the guest VLAN is only available tagged, if the IAP is connected.
If you remove the IAP from the port, the port goes into the default state.
There is no need to double authenticate clients.
have a look at this post, I did a write up on AP authentication:
https://www.flomain.de/2020/03/aruba-ap-authentication/