i tried to setup almost exactly what you wanted.
I have two Networks, one is my Corporate Network, and the second one is a Guest LAN. I have a wireless adapter in my Zeroshell and I did a multi SSID setup to have two wireless zones, one on the Corporate Network with WPA2-PSK and the other one one the Guest LAN with an Open Network with Captive Portal. My third Network connection is connected to the Internet. So both the Corporate and the Guest LAN are going through this connection to the Internet.
I bridged the WPA-PSK Wireless Adapter with the one from the Corporate Network, and i bridged the Guest Wireless with the Guest LAN and activated Captive Portal on the Guest Wireless-Guest LAN Bridge.
BRIDGE 1 > WLAN Corporate (WPA2PSK) + LAN Corporate
BRIDGE 2 with Captive Portal > WLAN Guest (OPEN) + LAN Guest
When I connect to the Corporate WLAN using the correct WLAN ssid/key I get connected correctly to my corporate Network and get a DHCP address from the DHCP server as expected.
When I connect to the Guest WLAN, I try to open a webpage, I get redirected to the Captive Portal login site, and I have to identify myself with username and password and then I am in.
BUT, I found out about a strange behaviour: Before authentication I get, whatever site I use, to the Captive Portal Login Page as expected. When I Use ping command to some random puplic ip-address I can get through without beeing authenticated. I have never experienced this behaviour in other situations (without wireless) and I am still trying to find out why.
Instead of bridging, you can also use vlans. You could put the Guest LAN and the Guest Wireless in the same vlan. I have not tired this one you yet.