Ok I see,
But we still have problem with clients that constantly being connect and disconnected from the guest wifi every 5-10 second (same time as the CoA-requests). Do you think this is an ISE problem or Aruba problem? 

Right after they join?  Or constantly?  I'm possible to say.  Are you using the Aruba network device provfile in the article I linked?  That NDP is much more modern than the one provided natively in ISE. Is this IAP?  Mobility Controller on AOS8.x?  Gateway on AOS10?  Aruba Central?

yes I am using the custom Aruba network profile in ISE, we are using IAP without controller or Aruba Central, just virtual controller on the APs with AOS8. 
The clients flapping between connected/disconnected constantly after the first successful portal authentication.

So is this driven by CoA packets from ISE or not?  ISE should only be sending one CoA.  Do you have ISE defined as a Dynamic Authorization server on the IAP?

Yes ISE is defined as Dynamic Authorization server on IAP. We have seen that the problem only exists when clients using an BYOD MAC-group in ISE (still using guest wifi), but when clients using Guest Portal on ISE it works fine. Check my Authorization profiles below.

Aruba client logs:

deauth    Sapcp Ageout (internal ageout)  (seq num 0)

deauth    Denied; Ageout (seq num 0)

Doesn't see any interesting in the TCP dumps. Yes I had accounting ON at the Aruba SSID configuration. I turned it off now and I it seems to be better. But the problem with connect/disconnect still exists of course.

Accounting should be enabled for proper ISE session/license management.