I'm not sure how ISE will be able to detect the group membership of the user, since this is purely a MAB+CWA authentication. I'm going to play around in the lab today with it, but are you suggesting they'll hit a "default" portal, which will then dump the user into the guest_flow, re-parse the authz list, then redirect them to a second portal based on their group membership?
the only way to know the group is to have them login to the CWA portal and get a success then you can now key off that since a COA took place authz will know the info. You can say say if guest_flow and AD group. take a look at the http://cs.co/ise-guest ISE Guest Access Prescriptive Deployment Guide