I understand your confusion. We've all been there on this one scratching our head. I hope after this post you better understand.

First, the cert you loaded sounds like it's the cert for the WLC management. So you don't get that annoying pop up when you access the WLC. Correct?

If so, this has nothing to do with the virtual address and GUEST certificate. The virtual address on the controller is used for a number of things, mobility and guest redirect are a few. In your case, since you are saying virtual address and certificate you must be referencing a guest cert. Again, different from your wlc management cert. The guest cert stops the annoying pop up, accept this cert for your guest users before they get the guest page. Again different cert ..

if you dont have a guest wireless network or you dont care if the guest gets the pop up no cert is needed. If you are doing a guest network and you DONT want the guest to get he annoying pop up you need to do the cert.

On my blog I outlined how to create the cert

http://www.my80211.com/home/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html

The reason why the cert has to match the virual address is because of the redirect. Here is how it works. A client connects to your guest network. He goes to yahoo.com. The wlc allows the request to go out to DNS and get resolved. The DNS responds with the IP address and the WLC hijacks this request and puts the virtual address in its place. The clients browser automatically tries to open the virtual address (bang) pop up. Unless you have the cert installed.

Make sense?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."