I think I can help with a few of your questions.....
"I have created the employee and guest VLANs on the controller. Should the L3 switch be aware of these VLANs? From my understanding, this is not the case, right?"
The L3 doesn't necessarily need to be involved. There is an option called "Enable source NAT for this VLAN" which will allow the traffic to route over to the exiting uplink from the controller. Not really the best way to do it, but it works. I've got a controller setup that way myself. A better way to do it would be to setup a rule in the policy that will NAT the traffic.
"Employees should be able to connect to the employee WLAN just by providing a WPA2 key, i,e. no 802.1X or MAC authentication"
Really depends on how you have it setup. When you go through the WLAN wizard, make sure you setup it up as WPA2 Personal and not enterprise ifyou are wanting to use a PSK. Keep in mind that using a PSK is not as secure if as 802.1x becuase if the password ever gets out, your network is able to be breached. If you are using a domain controller with Active Directory, setting up RADIUS and 802.1x is actually pretty easy.
"There is no need for a captive portal for the guests, but they shouldn't be able to access any of the internal networks."
You would set this up with policies. Even though it isn't specifically needed, I would still setup the portal to cath them and make it easier for them to logon to the network. It also makes it somewhat easier to setup the appropriate policies to restrict access.
Hope this helps.