You need to use a certificate on the guest portal that is trusted by the device connecting to it. For guest this is likely to be any type of device and not managed as part of the enterprise environment so you would need to obtain a certificate signed by a public CA (Certificate Authority) such as VeriSign which device manufacturers include as trusted in their OS. The certificate is based on a Fully Qualified Domain Name (FQDN). If you already have a wildcard certificate for a website you may be able to use this. Acquiring a certificate like this will require an annual fee to renew.
You will also need to ensure DNS is setup so that the guest is redirected to the FQDN that is used in the certificate.
If the devices are managed you can use an internal CA, however, this is unlikely for guest.
Not ideal, but you could also manually install the self signed certificate in the guest device so the warning is no longer presented but again this is unlikely to be suitable for a guest network.