OK, for the benefit of anyone reading this, I have discovered that the problem was misidentified. The solution appeared to work after a delay, but it was just happenstance. The problem cropped up again yesterday, and we were able to figure it out with the help of Aruba support.
What really happened was a client joined our guest network with a static IP that was the same as the IP of our server. There appears to be an implicit rule that denies traffic to an invalid wireless client IP. The problem is, as long as the client exists in the controller, that IP is blocked. If you kick the client off, the server is suddenly accessible again.
Anyone else experience something like this? Any thoughts about how to fix this other than kicking that client off (or blacklisting it)?