Hello,
1) You may want to look at SSID restrcition document id:71811 (google it). In this exmaple you use AD.
2) Yes, turn your WLC to HTTP only. Your guest page will negate the cert. But this is a global setting so your WLC logon will be HTTP as well.
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________