Yes I know it will help (but reducing not recommended), but maybe it has special link to see database with rejected endpoints by feature "continue rejecting requests" as wlc dynamic rejection where we can delete excluded endpoint manually

client failed to auth for specific attempt 
the ISE reject it 
WLC detect this reject and add client to excluded list for specific time  
after that the WLC remove the client from list and client can try again auth 
here I think the excluded list in wlc must longer than auto reject of ISE no more short to ensure that client can auth again via ISE
MHM 

ise prevent blocking clients in the AD and when it happens I can see it in live log ise.  So in the wlc database for excluding clients I can't see this client (which was blocking by ise). And maybe I can see it in the ise? 

did you enable the excluded list under WLAN ?
MHM

Of course

https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-743627.html

OK go to excluded list policy and select all option 
I dont know if ISE return timeout or failure for auto reject client 

MHM

My environment has config for excluding, but I think I'm not able to see it in WLC because of ISE has own database for excluding