For your guest VLAN addresses, is that 10.160.197.x VLAN trunked to your AP switch ports?
Your guest client DHCP requests (if not tunneled back to the ZD), will hit the network at the AP.
You also need DNS on the 10.160.197.x VLAN, so your guest browsers will get a reply that can be used to "hijack" their session, to the Guest webauth login page.
I'm not sure about your AP upgrade issues, but if you can ping/ssh to a disconnected AP, you can try issueing a "set director ip a.b.c.d" CLI command with your ZD's IP address, and then a reboot to point the AP.