> the DHCP server for that network is on another Vlan 991 : 172.16.0.1/24

> ip helper-address 192.17.0.1

 One of those is wrong.  192.17.0.1 is not in the 172.16.0.1/24 subnet!  So maybe the reason your DHCP server isn't working is because you typed the IP address incorrectly?

192.17.0.1 is the interface 990 in the main Firewall and inside It we use DHCP Relay for 192.16.3.11

edit "ININV-990"
set vdom "MinaVDOM"
set dhcp-relay-service enable
set ip 192.17.0.1 255.255.224.0
set allowaccess ping
set netflow-sampler both
set description "INSID_INVITE"
set role lan
set snmp-index 28
set dhcp-relay-ip "192.16.3.11"
set interface "INSIDE"
set vlanid 990

You cannot relay to a relay (double relay) - that will always fail.

The client WLAN interface on the same broadcast domain as the client (either SVI on WLC or gateway interface on switch/router/firewall) needs to relay the client DHCP to the server.

Hello, 

I change it with the DHCP server IP @ 192.16.3.11  but always same behaviour 

I'm sure there is something in routing but  I don't know where to start ? 
for example in VPN site to site is there a Vlans to add or something like rules or route ? 

 -    Have a checkup of the 9800 WLC configuration with the CLI command show tech wireless ; feed the output into :
                         Wireless Config Analyzer

 M.

AireOS and IOS-XE are completely different in their handling of client DHCP.
AireOS proxies the DHCP and all communication to client uses the virtual IP while all communication to the server is done on the client VLAN with the interface address as source.
IOS-XE does standards based DHCP relay.  It relays the client request to the server (following the routing table) and routes  the reply back to the client, does not proxy the request like AireOS.
This is why SVI is not recommended on 9800 because there is no isolation between client interfaces and global routing table of 9800.
This means that just like on any other IOS router or switch you must specify the source interface to use for relay and make sure the 9800 has a route to reach the DHCP server.  By default it will simply follow the default route.  Similarly the DHCP server must have a return route to the WLC relay source address and the client address.

Either switch to using layer 2 with DHCP relay done on the external network or re-design for the 9800 architecture.  This is one of the major differences between AireOS and IOS-XE.  

https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-743627.html#DHCPproxy
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-9/config-guide/b_wl_17_9_cg/m_dhcp_wlan_9800.html

Hello Rich, 
I respond to you 2 times today but the reponse deleted (like it's SPAM) 
It's very clear there is a big difference between AIreOS and IOS-XE,  and I configure everything according to cisco recommandation, 
so in the main site users can connect correctly, the domain user have the SSID, the guest users too they get IP and go for captive portal and then connect to wireless, in the distant site the domain users connect the wireless as well as, but guest users can't 

I followed the recommandation and I configure SVI as recommanded below the command show run interface : for your information the ip 192.17.0.1 is the IP address of FW interface of this network and inside the interface we define also the DHCP Relay 

9800wlc1-9800#show run interface Vlan990
Building configuration...

Current configuration : 219 bytes
!
interface Vlan990
 description Internet
 ip dhcp relay information trusted
 ip dhcp relay source-interface Vlan990
 ip address 192.17.0.4 255.255.224.0
 ip helper-address 192.17.0.1
 no mop enabled
 no mop sysid
end

I'm going to send you the design example in private because I can't post it here, 

You posts are coming through ok - it's more likely a problem with your browser and Cisco cookies which are very badly managed by Cisco.  Clear your browser cache and cookies then restart the browser before accessing the site again.