I can only get the portal working when using the ip address which gives a certificate warning when I enter the FQDN the client is not able to resolve the name, the client DNS setting is pointing to 8.8.8.8 to reslove public dns google etc.. how do i get the client to resolve to the guest portal name ?

I struggled with the same issue and the only answer I can think of is to have a DNS server in your DMZ with specific entries that the guest network has access to, or use the Static IP/Host name/FQDN. The irritating thing is that it is no longer possible to add an internal IP range to an external certificate, so a private IP address will always show a cert warning for externally cert authorities.

If using MAB and you use the static ISE IP entry and your guest network doesnt have access to the Network that ISE sits on, then (as far as I understand it) the portal will never load as ISE drops you on the guest network and then redirects to the portal.

If you use dot1x then you can use COA to move from a network that has access to ISE for the portal, to the guest network on authentication.

Have you tried to set "ip host" at PSN CLI?

http://d2zmdbbm9feqrf.cloudfront.net/2015/anz/pdf/BRKSEC-3697.pdf

You must use  an alias to a local address

ip host <local addr><local FQDN> <Public FQDN>

ise-psn1/admin(config)# ip host 10.1.91.5 ise-psn1-guest ise-psn1-guest.company.com