We are currently experiencing a problem with web auth on one of our sites. This uses WiSM2 controllers running version 22.214.171.124 of the software.
The affected SSID is set up for web auth exactly the same way as our other site and that works (although that uses WiSMs running 126.96.36.199).
Both sites use the same web auth bundle and the same certificate. We have a DNS entry that points back to the virtual interface IP they all use which is 188.8.131.52.
When users connect to the SSID they are not being presented with the login page. Running a preview on the controller at the problem sites shows the correct page that should be being displayed.
The controllers have had the certificate re-applied, the web auth bundle reloaded on and have been upgraded from 184.108.40.206 to 220.127.116.11 but none of these have resolved the issue. All other SSIDs work fine, but this is the only one that uses web auth.
As I say, the only configuration difference is the hardware (WiSM2 vs WiSM) and the software level.
When you mention that the login page does not open, that usually means that is a DNS issue. Make sure that you allow DNS from the guest subnet to the DNS server in which the FQDN of the certificate is being resolved.
Are you anchoring the guest ssid to an anchor controller? It would be the same troubleshooting, but make sure the anchor is configured correctly. The foreign wlc guest ssid needs to have a mobility anchor to the anchor wlc and the FW needs to allow DNS back in if your using an internal DNS server.
If you are not using an anchor wlc, the best way to test is to map the guest to another dynamic interface on the inside network that is working. If that works, your FW is blocking DNS on the guest subnet. You also can remove the FQDN (make sure it was entered correctly) from the VIP and test. If that fixes it, then DNS was not resolving the certificate FQDN.