Cisco ISE is providing the splash page, so CWA. We have AAA override configured on the guest WLAN policy. We are not changing VLANs. The guest policy is set to use a guest vlan group, and gets placed on any of the vlans within the group.

I reckon we do not have any evidence to co-relate CoA with DHCP and here is why (based on your answers) - 

If we break the flow of CWA, it happens like  - 

1. Assoc Request - Access Request is sent with MAB.
2. MAB success happens and Assoc Resp is sent.
3. DHCP happens.
4. Followed by DNS, TCP, HTTP
5. Then comes CoA with whatever the types of CoA you are using. ISE send CoA Request and WLC responds back with CoA Response.
6. Assoc Request - Access Request is sent.
7. Access Accept followed by final Assoc Response.

So DHCP and CoA happens at different stages. If You say CoA is not working and config is correct, then could be - 
https://bst.cisco.com/bugsearch/bug/CSCwm54065
https://bst.cisco.com/bugsearch/bug/CSCwk63163
https://bst.cisco.com/bugsearch/bug/CSCwj01157
https://bst.cisco.com/bugsearch/bug/CSCvr73095
https://bst.cisco.com/bugsearch/bug/CSCwi34080

If you say DHCP is not working, then would suggest to use vlans one by one. There could be an issue with one of the vlans, not all.

- "mix of 9800s, 5520s, 8540s using 2800, 3800, and 9166 access points. Guests across ALL controllers are experiencing an issue"
so it's unlikely that it's a 9800 bug because it's affecting 9800 & AireOS WLCs but worth noting those anyway for sure, and another reason to ensure the software is up to date!

I see 17.12.5 has got gold star marking on the download pages but not yet on the TAC recommended versions, but likely to be soon.

1. Was this working before and it has stopped working at some point, or it's never worked?

This used to work, started noticing issues when we were replacing legacy AIROS controllers with 9800s. Not saying it's related, just want to note it.
2. Is it happening all the time (not working at all) or only sometimes?

It seems to be 90% of the time, users are experiencing this issue.3. Just to be clear CoA is sent to the controller, not the client.
4. If you're sure the WLC receives the CoA and doesn't act on it then you need client debugs to see why.  On AireOS debug client MAC and aaa.  On 9800 Radioactive Trace on client MAC.  Use the Debug Analyzer (link below) to clean up the debug output and RA trace.

WLC debugs and traces, as well as ISE debugs have been sent to TAC. Waiting for help, but posting here as well for visibility.
5. If all the WLCs are receiving the CoAs and ignoring them then the most likely cause is incorrect CoA key.  Have you tried re-applying the key on both sides to ensure it's correct?

I have not, but can today.
6. Take note of the TAC recommended releases (links below) - important to keep your software up to date to make sure you have updates for known bug fixes.

Because we're a very sensitive service area, we tend to move slower with upgrades, except for "test prod" areas, which have to run the latest to be able to pilot new features, like AnyLocate

"The solution for me was to not rely on the DHCP required feature, as this is a vendor feature not supported by the 802.11 standard and it may lead to issues with some devices."

This may be we're headed too. The security of it is nice on guest address space but we may have to just dump it.

As I've mentioned on other similar discussions we run public WiFi hotspots, so DHCP Required is considered a mandatory security feature which we have enabled across 20,000+ APs (AireOS and 9800) without problems, so I would concentrate on what is actually causing your issue which I think is unlikely to be DHCP required.

> Because we're a very sensitive service area, we tend to move slower with upgrades, except for "test prod" areas, which have to run the latest to be able to pilot new features, like AnyLocate
Well do you see the same problems on those "test prod" areas running the recommended code versions?

You'll see plenty of comments from me and others here saying we avoid using the GUI 99% of the time - you should really only trust the config you can see on the CLI.  The GUI has numerous bugs and quirks (and you are using an old version of code).
How were the clients getting their IP addresses?
Did you check the config with Config Analyzer?
Do you have ARP proxy enabled as per the best practice guide?