In a 2 node deployment for ISE 2.7 patch 5, we have sponsored guest setup, everytime the guest redirect, they are presented with this certificate with common name 10.1.1.1, this IP does not exist in our network, once you bypass the error, it redirects to guest page with correct certificate.
Don't think there is any issue configuration wise, its a standard guest config with portal pointing to a wildcard public cert and everything works except this error when clients get redirected to guest portal.
I don't think so, there is no firewall between client - wlc and ISE, I did find out that the cert we were getting was from WLC default cert and the problem is isolated to Apple devices only. Android and windows devices are working fine.
After reading couple of apple forums, I am going to try adding following URL to redirect ACL and enabling captive portal bypass and see if that helps, if you have any more suggestions let me know.