I am not sure I completely followed your last two posts, but some comments:
- You can have multiple SSIDs on a RAP; they can be in different forwarding modes if necessary (tunnel, split-tunnel, or bridge)
- The ACL for the connected users needs to support split-tunneling if that is the mode you are in (using the route src-nat action)...any ACLs with permit will be tunneled back to the controller regardless of the forwarding mode
- If you have "enfoce machine authentication" enabled on your PC SSID, then you may have issues with the Macs as you point out. You can get around this by adding the MACs of the Mac systems to the internal datbase. If you don't have "enforce machine authentication" enabled on the SSID, then you should be able to use both Macs and PCs on the same SSID.