You need to create a session-ACL that blocks port TCP 443 (Captive Portal) and TCP 4343 (admin gui), permits everything else, and apply that to the controller's physical uplink port to your network as a session ACL. In the example below, the name of my acl is "no-webui". My controller's management ip address is 192.168.1.3. My controller's uplink to the network is gigabitethernet 0/0/0.
ip access-list session "no-webui"
ip access-list session "no-webui" any host 192.168.1.3 tcp 4343 4343 deny position 1 queue low
ip access-list session "no-webui" any host 192.168.1.3 tcp 443 443 deny position 3 queue low
ip access-list session "no-webui" any any any permit position 3 queue low
!
interface gigabitethernet "0/0/0" ip access-group "no-webui" session
NOTE: If your controller has more than one ip address, you need to add an ACL for those IP addresses as well to block 443 and 4343 for it to be truly effective. You should run these commands when you have console access to the controller so that if you lock yourself out, you can remove the acl from the gigabitethernet port. You also need an any any any permit at the end of your ACL to allow all other traffic to the controller.
If you have an upgrade window, upgrading to 6.3.1.5 has the fix and it will get you off of 6.3.0.1, which is NOT GA code.