Hi,
the fact that you can't ping in the guest SSID is normal. That SSID blocks all traffic until you authenticated on the web page.
If your users are using a proxy to browse the web, all you need to do is to add an exception in the client browser for "1.1.1.1" if that is your virtual ip. So that the proxy doesn't get contacted when client is redirected for authentication.
The second step is to make WLC listen on the proxy port (often it's 8080 for example). Command is "config network web-auth-port" :
http://www.cisco.com/en/US/partner/docs/wireless/controller/6.0/command/reference/cli60.html#wp1728200
Hope this helps,
Nicolas