The reason you get the certificate security warning is b/c the WLCs have a self signed certificate that a client's browser will not know about. To deal with that warning, you have a few options:
1. Leave it as is and let the users know that seeing that is OK
2. Disable HTTPs on the controller - almost no one picks this b/c it is a global change so even admin logins will be unencrypted.
3. Install a valid root or chained certificate on the controller from an Internet CA:
a. Use a root certificate from a CA like Entrust. You would have the certificate issued for whatever DNS name you want to give the virtual interface IP address of the controller. You will also need to have a host entry in the local DNS server for that same name and point to the address of the virtual interface. Under the virtual interface configuration on the controller, you would enter the DNS hostname you set up in local DNS. It needs to be the FQDN. YOU MUST REBOOT for that to take effect.
If you do not wish for the guest users to have access to your internal DNS servers, you could have a Linux or other free DNS server on the guest network and have the guest clients use that for DNS. All that server would require is the A record for the virtual interface and then have it point to your ISP or Internet DNS servers for everything else.
b. Use a chained certificate. This is more work than using a root certificate b/c your final pem file must have all the intermediate certificates in it as well as the certificate issued to you. Other than having multiple certs in the final file, the process is the same as using a root certificate. Please note that only up to level 2 chained certs are supported:
Level 0 - use of only a server certificate on WLC
Level 1 - use of server certificate on WLC and a CA Root Certificate
Level 2 - use of server certificate on WLC, one single CA intermediate certificate and a CA Root Certificate.
Level 3 or higher is not supported
Level 3 - use of server certificate on WLC, two CA intermediate certificates and a CA Root Certificate.