The first thing that needs to be done is to connect the WLC to a trunk port on a managed switch that has all the two vlans you want to pass...the WLC ports are trunked by default and not able to be changed as far as I know anyway. Then seccond thing is to set up two interfaces on the controller itself (one for public and another for private) assign the ip's for these interfaces to the vlans you want them to be. Then create a two wlans one public one private then assign the interfaces you created accordingly. Then I suggest you put the DHCP server behind a firewall or better yet an ASA and set up two different scopes accordingly, and use a DHCP relay accross the ASA (ASA Integrated DHCP Server Didn't play well with WLC's in my experience anyway...It was suggested to me that the proxy arp might be the problem but I haven't had time to test it.) Then set up access rules accordingly. Hope this helps..:) Let me know if you have any questions...also check the online WLC config manual..A lengthy read but you can find some really helpful info here.
Thanks temujin1499 for your detailed explaination.
one question is if I do not have a managed switch, but I have two physical interfaces on WLC and two physical interfaces on router, can I just connect these four interfaces to a unmaanged switch, and setup two SSID, each go through seperate WLC/router interface?
Well if you have a router I would just set a trunk with the vlans of the two ssid's on one of the router ports and connect it to the WLC. You could try what you suggested but I haven't tested it to tell you that it works or dosen't. If you do give that a shot let me know how it works out. My guess is that it will not work.