Thanks for providing the requested info.
The next item that needs to be examined now is the way that Identity Awareness has been configured on your gateway.
1) What are the identity sources being used here? I am assuming that Browser-Based authentication has to be one of them given that we are trying to achieve access via the Captive Portal.
2) Are the affected users required to have the identity agent installed on their machines?
3) Provided the assumption on Step 1 is correct, navigate to the settings of the Browser-Based Authentication source
and tells us the session length for unregistered guests (since the affected users have not joined the domain and are therefore not known by the gateway).
4) What happens when a domain-registered user tries to log in to the Captive Portal from the same machine? Does the same symptom occur?