I have come up with an ugly hack for this.
It seems the iPhone does a DNS lookup on http://www.apple.com prior to redirecting to the Captive Portal page. If the DNS lookup fails, the phone doesn’t display the login screen within the WiFi app, and more importantly, doesn’t lose the assigned IP address. The user can then open Safari and log in as normal through the captive portal.
To get DNS lookups on http://www.apple.com to fail I created a DNS entry for apple.com without any ‘A’ records on the ZeroShell server.
This gets around the problem, but does mean that clients can’t get to apple.com pages. Better than none at all though 😀