If you are really seeing HSTS messages, it is likely that this is not because of the captive-portal certificate, but because the initial redirect is done on HTTPS traffic to a site that uses HSTS.
Unfortunately installing a trusted certificate on ClearPass and the controller/instant does not solve that, it is how HSTS is designed. You can only 'fix' the HSTS error by not making the redirect to happen for HTTPS traffic.
Check this post http://community.arubanetworks.com/t5/Technology-Blog/Captive-Portal-why-do-I-get-those-certificate-warnings/ba-p/268921 on some more in-depth explanation and possible workarounds.
Regardless the redirect, you will need a certificate on both ClearPass (or external captive portal server) and on the controller/IAP in order to prevent certificate warnings during the captive portal authentication.
If you want to go the 'free' way for certificates, you can check out Letsencrypt (https://letsencrypt.org/) which has some inconvenience if your systems are not exposed to the internet (which is for controllers/ClearPass mostly the case), combined with the fact that the certificates are only valid for 90 days. I would personally spend those few dollars and get a certificate from a commercial CA; you can get a 3-year cert for $15, and you need two of them (ClearPass + Controller/IAP). Can't look in your wallet, but the time you spend on renewing every 90 days is probably more expensive than just purchasing a commercial cert.