You can get a certificate for any (IANA/“public”) domain name you own. You could run one of the available ACME clients on a separate device, solve the ownership challenge for that domain (a DNS-based challenge like
dns-01 is probably a good option for this - take a look at lego or one of the bash clients) and install the resulting key/certificate on your device. You’ll have to repeat this once every 90 days (that’s how long Let’s Encrypt’s certificates are valid for), probably manually as I’m guessing the access point does not have an API you can use to provision certificates and keys.
This would only work if you’re in control over the hostname at which you access the captive portal. If that’s effectively hard-coded to a domain you do not own, I’m afraid there’s no solution that involves a publicly-trusted CA short of Aruba providing a solution.
Alternatively, if you’re in control over all devices that access your captive portal (I’d guess not, but I’ll mention it just in case), you could generate a root certificate, deploy that certificate across all your devices (import them in your browser trust store manually or use something like ActiveDirectory to push them to clients), and sign a certificate for that domain.