You can use a different certificate for your guest portal, if you use one with a public CA you just need the DNS record to match the one of your certificate and have the dns a record.
Yes for network devices, using AAA Cisco ISE Base License is sufficient; http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_0111.html#concept_DE1C38E055794B198ED352D1528B5182