ISE 3.3.0 running on 3615 appliances

IOS-XE 17.9.5 on 9800-40 WLCs

We have some odd behaviour with a new hotspot portal. Everything up to authentication appears to be working correctly - user is prompted to sign in on connecting to the SSID, redirect is sent to the WLC, portal page is displayed, internet ACL is sent to the WLC when the user accepts the ToU, and the authentication success page is displayed.

However with some devices the user still does not have network access. This primarily appears to affect Android devices, but not all - I haven't observed it with iOS or Windows clients. Refreshing the auth success page does something which causes auth to be successful/the internet ACL to be applied correctly, and the network then shows as connected and the user has internet access.

The fact that this isn't universal in our deployment suggests it's a client issue, but I'm at a loss to understand how a client issue could apparently prevent the correct ACL from being applied by the WLC!

Has anyone come across this issue before? Any pointers on whether it's likely to be an ISE, WLC or client issue, and on where I can look to gather more information if it isn't client? Thanks!