yes, it's possible. One way is to create a role (say cp2-initial-role) that has the 2nd captive portal assigned to it, then use RFC 3576 CoA (aka Dynamic Auth) to change the role from 'cp1-authenticated-role' to 'cp2-initial-role'.
existing firewall sessions from the device will not be affected by this change (if you're on some webpage it suddenly wont be hijacked as the session is already open), to try and speed it up you can disconnect the user to try and kick start the captive portal detection.