SGACLs are actually like PACLs but superior since they don't consume that much TCAM space.So isolation of devices is perfectly possible even if they're on the same VLAN/Broadcast domain.I have successfully implemented that on Cat3k, Cat4k, Cat6k and ...

You can use the IP of the WLC instead of Device group as a condition, or Device name as configured in ISE.

Portal certificate is not actually for admin GUI, but for Guest Portals. Admin certificate serves as the ISE web server certificate as well as for inter-node communication. You don't need to issue certificates per usage but I'd use specific ISE nodes...