When uploading the certificate to the controller / IAP cluster the certificate should include the private key and the keychain. You can combine everything in one PEM file with the following structure.
----- BEGIN CERTIFICATE -----
SERVER CERTIFICATE
----- END CERTIFICATE -----
----- BEGIN CERTIFICATE -----
INTERMEDIATE CERTIFICATE
----- END CERTIFICATE -----
----- BEGIN CERTIFICATE -----
ROOT CERTIFICATE
----- END CERTIFICATE -----
----- BEGIN RSA PRIVATE KEY -----
PRIVATE KEY
----- END RSA PRIVATE KEY -----
Also, you shouldn't forget to change the default callback address securelogin.arubanetworks.com in the WebLogin of Self-Service page on ClearPass. For example, when you upload the named certificate webauth.example.com to the controller the callback address should also be webauth.example.com. When you upload a wildcard certificate (*.example.com) to the controller, the callback address should be captiveportal-login.example.com.