Hi,
Policy enforcement is not that much with a Controller, probably you can specify a login validity time range through an ACL and map it to the authenticated role so that user can connect to the network during a specific time.
I'm not sure whether it is possible through CPPM or not. let me check and come back on this.