If you are using ISE for CWA, then you are "limited" in what you can do from and SSID security standpoint.
Basic constraints:
- Set Layer2 security to None with MAC filtering.
- Select the ISE IP address for both Authentication and Accounting Servers.
- Advanced tab, enable AAA Override and set the Network Admission Control (NAC) State to RADIUS NAC (CoA support)
- Your guest VLAN should not have access to anything besides the internet once authenticated.
- All devices must get registered in ISE before they can authentication, so even if an unencrypted packet is sniffed, the device still gets redirected to the Guest portal page.
- Absolute worst case, the "hacker" gets on your guest network: your guest VLAN ACLs peel them off to the internet only and you disallow peer to peer communication on the SSID.
I realize this might make some people uncomfortable with "no security" in the SSID, but keep in mind that this is for guest only and ISE is validating clients.
Links to ISE/WLC Guest Configuration: