I believe I have resolved this. After spending days on it, and trying just about everything, I happened upon a missing piece of information from my network admin, and after that, had it working in about 5 min.
After multiple attempts to trick ios6 to allow for local wifi connectivity, I have come upon a solution.
The problem: trying to get ios6 to connect to wifi, behind a captive portal and a websense filter, while keeping external access offline.
We use the captive portal to setup billing for internet usage, and didn't want to open a huge hole in it to allow 'free' internet to the iphones.
We use websense to do content filtering, and any hole I opened on the captive portal, ended up with a websense authentication pop up on my iPhone when I tried to log in.
When attempting to join a wifi in ios6 (ipad,ipod,iphone), you would get a captive portal, or a websense authentication login. If you did NOT login, you would not join your wifi, if you DID login, your entire house could be online and using the internet.
-captive portal pass through is not enough, websense does not filter properly, even with an unblock filter in place.
-created fake apple.com domain and fake web server with Success! message
-created proxy server
-created captive portal mac and ip and hostname throughputs
-created websense unblocked filters
WORKING SOLUTION: (our captive portal is PFSENSE)
-you have to create a combination of things. In the end, you're allowing access to a limited set of locations so the iphone can activate the wifi, but keeping the rest of the internet closed. The iphone will go through these holes, and onto the internet, but the holes are too small to allow anything else through.
on each captive portal, (we have multiple, one for each network, you may have only 1), create a allowed 'hostnames' and allowed 'ips' to match the following locations
( I derived this information by reading forums but also by doing a packet capture on PFSENSE while trying to connect to wifi with my iphone, which gave me the ip addresses. With just the ip addresses I believe it will work. I also tried adding *.akamaitechnologies.com (which the ip's resolve to) and that also worked but I didn't want THAT large of a hole in my fw).
on each firewall, create a rule allowing ANY to those locations as well, making sure it nats, and all of that. This rule needs to be active BEFORE your websense filtering rule, otherwise websense authentication pop ups will continue.
As a result, the iphone now logs in, but web pages are still blocked, so folks still have to login to the captive portal and submit billing information before going online.
in case anyone cares.