i have updated the details that i missed in main topic

WLC model - C9800-L-C-K9 (Cisco Catalyst 9800-L Wireless Controller )

Version - 17.3.4c

the link that you provided i already referred. im looking for workable step by step procedure for email consent web portal.

The URL provided a workable solution and worked when we tested, not artificially created.

Since you have a different issue not normal and also we do not what devices working and what not working, what you have done testing and debugging, what was your observation, it's hard to tell you what is the issue here.

As long as the steps follow, this works as expected, some setups are complex, especially routing and other stuff, where the redirect web portal is hosted.

So you need to debug related to your issue, or contact TACT

The link you provided is not related to email consent web portal.. its for web authentication portal.

Is there any step by step guide for email consent web portal. 

Devices connecting are android, iphone and windows machines.

I didnt understand you are pointing out. yes. currently we aer using self signed certificate. we are not using any FQDN in this environment. 

In my case authentication type im using is local web authentication.  its using internal default html pages. the ype of web authentication is consent or web passthrough.  so how certificate will play in this case? please let me know if im missing something.

Any https page which must be displayed on a device uses a certificate.
The device must be able to trust the CA and intermediate that issue that certificate in order to display the page and content securely.
Modern devices and browsers mostly won't display the page and/or content (or sometimes only after dire security warnings and disclaimers) if they cannot trust the certifcate and that's why self signed certificates and using IP addresses instead of domain names causes problems.

If you insist on using self signed then you will have problems and you'll need to accept that (yes - the users will hate you for the rubbish service).
If you want it all to work properly then do it properly.

Correct - guest devices will not trust the internal CA certificate.

As long as you load the full cert chain it should send the intermediate to the device (with the server cert) then as long as the device trusts the root the intermediate should be fine so new intermediate should not cause any problems.

sure. as per your advice ill consider public signed certificate. if they have existing wild card certificate can we use it in this case?

I haven't tried wildcard myself but yes, in theory, that should work too.