This is most likely a DNS issue. The client connecting to the guest network has to be able to find the controller's address at its internal address, not external. Nothing special has to be done if the client is connected to the same network as the controller, but if the client is at some remote location or the VLAN of the guest network is really separated, then you'll have to do put the internal IP in your external DNS. For this reason we use two names for our controller. A public name, like "wifi" with a real external IP, and ZoneDirector with the internal.
This happens because the client is trying to reach the controller via the LWAPP channel, which acts like a VPN to the controller. In that environment, the client needs to find the controller at it's internal IP.
Experiment by adding "internalIP" zonedirector.domain in a client's hosts file and see if that works.