Here is Cisco Support's answer to trying to use guest vlans in layer 3 mode. I know I've seen a few other posts on this over the years, but this leaves the guest vlan utterly useless. You can relay an address, but the machine that should already be restricted by being on the guest vlan can't access a single thing. What is the point of having a guest vlan then? I had this ticket open well over a year too, just getting them to duplicate the issue took many months even after telling them exactly how to duplicate the issue.

Cisco Support : The dev team came back to me today to let me know that the behavior as you experienced it is known but not a bug. The way it works is per design. This is for security. The goal is to prevent guest users on guest VLAN from accessing network resources when device is in Layer 3. Your switch is in layer 3 since DHCP relay is being used to accommodate DHCP requests going into your DHCP server. In short, the functionality is by design and will not change. Users when they fail to authenticate, therefore falling under guest VLAN, will have limited access to resources, if any. Let me know if anything else is needed… other than this, I will go ahead and close the case.