There is not enough information to describe what you have setup. In this, I assume the captive portal is on ClearPass, but is it SAML or OAuth2, and in SP or IdP role?
Also with captive portal, you should (generically) not switch VLANs as it introduces large interruptions due to port bounces (wired) or clients not being aware of the VLAN switch and sticking to the old IP for the old VLAN and losing connectivity. The normal step is that the SSO service triggers a web login, which service can return role/VLAN other, or you need to work with cached information and MAC authentication.
As there are many moving parts here, it may be most effective to work with your partner or Aruba Support. For such implementations it's critical to see what happens, till where the process works and where it breaks, and that is hard to do in a forum like this.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------