In the user guide, if you consult the "VLAN Derivation Priorities for VLAN types" table you'll see that the only thing that can override Tunnel-Group-Id are DHCP options rules. That is of course a dicey proposition as it involves clients interacting with a DHCP server from a VLAN which will be immediately yanked out from under them during the DHCP negotiation.
(The manual actually contradicts itself above this chart by saying that Aruba-User-VLAN overrides everything else.)
Your RADIUS server is deficient if it cannot be configured to adjust or omit the Tunnel-Group-Id based on criteria that identify the Aruba controller NAS. I wouldn't bet on it but you might be able to play some tricks with using vlan names instead of numbers in this field; I haven't tried that and it may involve adjusting the other NAS that are sharing this RADIUS server. Your best (and least hinky) option might be to fire up a FreeRADIUS instance, define your central RADIUS server as a home server, point the controllers at FreeRADIUS, and massage the response in the post-proxy or post-auth section before it gets back to the controllers.