Can you elaborate on the solution?  I am seeing the same issue, however I am not load-balancing any of my connections.  We are in the process of upgrading from a 5508 to a 9800 WLC, and the auth policy that we were using was working fine for the 5508.  I'm not sure if disconnecting and reconnecting works, didn't try that.  In our case, after entering the hotspot password, it would try to redirect to the actual web site, then back to the psn, and bounce between the two without ever opening anything in the browser.  The bouncing was visible in the address bar.  Eventually, it would fully work.

The load balancing was because I needed a policy for CoA port 1700. After accepting the AUP, the user should be added to an identity group, re-authenticated, and then match a simple 'Permit' authorization policy based on their new identity group. Are any of those working for you? It sounds like your user may be in an authorization loop. Make sure the 'Permit' policy is before the 'Redirect' policy. Network Access --> Troubleshoot --> TCP Dump | will also help narrow down what's occurring.

Nope, I've got all of that.  Again this was all working fine with 5508 controller, it's only since moving to 9800 that the issue cropped up.  I have two rules for guest access - first rule checks if user is in guest identity group, second rule redirects to login page and valid password adds to identity group.  

Did a little more testing today, and it appears that in our case during the 15 minutes or so that it takes the client to become active, even though they are in the proper identity group, disabling WiFi or rebooting so it truly starts a new session makes no difference.  ISE error messages seem to imply that the WLC is not responding to the COA request.  We took debug logs from the WLC today, will see if anything turns up.

There is a checkbox in AAA settings on the 9800 to trust CoA from the radius server. That should be checked.