Its not that complicated.
Create an ACL that allows IM ports/protocols, then denies packets with the destination of your WLAN subnet. Put those two ACLs into the role your users are using and VOILA, no more user>user traffic EXCEPT IM.
The order of the rules is very important. The rules are processed top down and first match. Just make sure you allow DHCP, DNS and other critical services first, then the IM ACL, then the drop user-user ACL, then your HTTP/HTTPS allow ACL. At the end is an implicit deny all.