Not that I'm aware of but as the portal itself is recommended as using SSL and any credentials sent to said portal encapsulated within that encryption, what is the requirement driving the need for L2 encryption to ISE for guest portal services?
In most deployments both the AP IP's and Radius server are on the internal networks and therefore encryption isn't a requirement.
A good way to prevent someone from sniffing the traffic would be to segment the network the AP's sit in from the one users attach to on the wire. Simple ACL or firewall rules would prevent users from being able to sniff anything on the management vlan. If it's a concern over sniffing the air - the portal is no different security wise than what people put credit card transactions on with SSL.
If they must have AP to ISE traffic double encrypted (Radius MD5 Hash plus another) they could use a Cisco-Meraki MX and tunnel all AP traffic to it, then from it to ISE would be the only single encryption. The MX could sit in the same data center as the ISE server.