You could use "Airespace:Airespace-Wlan-Id EQUALS <YOUR WLAN ID FROM WLC>" condition to catch the specific WLAN and then "MYDOMAIN:ExternalGroups EQUALS mydomain.com/<SOME SPECIAL AD GROUP>" to allow only that particular AD group.
You just need to keep in mind that if you have this new rule above the existing rule for the other WLAN, you will still allow all AD users to access your restricted WLAN, because there are no conditions that restrict the original rule.