Thanks to both for your replies.  Indeed good links and that other case was resolved by TAC in the end. 

@AutomationDude 

@Inderdeep 

A Update to the accepted solution:

This was, in fact, fixed by a call to TAC.  In the end, it turns out that since we use Barracuda Mail Filtering with Cloud Protection Layer (CPL), the emails to the sponsor with the link to approve the requestor were being 'detonated' in the URL sandbox at the protection layer.  All inbound emails with these services actually explode any URL to inspect it to see if it is safe before passing the email to the recipient.  In effect, CPL was "clicking the approval link," seeing that it was an ok website, and then passing the email to the sponsor.  This, in effect, approved the access via the click.

Hope that save someone else some trouble. 

Mark

Thank you, @VT-Freddy! We were experiencing the same issue. After adjusting our mail filter settings, it persisted. Continued on this path and found the issue was being caused by Microsoft security settings.

Tested the Meraki settings and isolated the problem to our internal mail by creating a copy of the SSID with an external email as the authorizing domain. For others finding this in a search, take a look at all of the filter/security/inspection systems that are touching your mail. 

Additionally, there is a Captive portal strength setting under Wireless > Access control > Splash page > Advanced splash settings to select a radio button to either Block all access until sign-on is complete or Allow non-HTTP traffic prior to sign-on.