FlexConnect 7500 WLC locally switched AP with ISE (RADIUS NAC) CWA guest

I am trying to setup a Flex7500 WLC with an AP in Flex mode with a SSID for Guest.  Guest is managed by ISE using RADIUS NAC CWA.

Code version is 7.4 but tried the new maintenance release of 7.4 and its no different.

Problem 1:

The FlexACL for web auth redirect isnt called successfully, and the guest doesnt get an IP.  Our workaround we stumbled upon was to create the same named ACL as a regular IPv4 ACL on the 7500.  This is is also experienced on a vWLC running 7.4, but not on 7.3 or 7.5 beta)

Problem 2; (the main problem right now)

Now the client gets an IP it can cause a redirect to the ISE guest portal.  A user can enter their credentials and get authorised, but, it then gets stuck in a loop and goes back to the guest portal.  ISE also records the following event:

"

RADIUS Status: Dynamic Authorization failed                                                                                 : 11213 No response received from Network Access Device

"

This error code is:

No response received from Network Access Device.

Check the connectivity between ISE and Network Access Device. Ensure  that ISE is defined as Dynamic Authorization Client on Network Access  Device and that CoA is supported on device.

It looks like the 7500 isnt responding to the CoA to allow the guest user on.  For clarification purposes the port authz policy is just permit access, we are not trying to apply an override VLAN or ACL.

We are raising this with TAC, but has anyone got any ideas?