If you don't need to confuse your users with multiple VLANs, don't do it. Leverage the tools you have. You mentioned you have ISE and you should be able to do all this with one SSID. As AdnanG already mentioned, you can utilize the profiling features of ISE to classify the devices.
Your ACS should be able to tie into the MS AD authentication and be able to provide user authentication and group information.
From there, you just need to combine the user/groups with the device profiles and then tie it to a VLAN. So, for instance, if the device is identified as a cell phone and the user is part of "group A", then the get put in the "group A - internet" VLAN.
I haven't done it personally with ISE, so can't give exact steps, but this is how Cisco marketing is selling ISE in the BYOD space. I also know of several people who have done similar setups to what is suggested. I would start by looking through this Cisco BYOD document that would give you a general overview of how BYOD is done with with Cisco ISE.
In the scenario you describe, you should definitely be looking at multiple access points, preferrably dual band APs.
While coverage may be sufficient, coverage alone is no longer the primary consideration when deploying a wirelss network. Client capacity, channel utilization, signal quality, and reliability are much more important and multiple access points will help with all of these.
By using 3 (or more) APs on multiple channels (1, 6, and 11), you will in effect triple the amount of airtime (bandwidth) available on your wireless network.
Additionally, proper placement of the APs will provide clients a closer AP with stronger signal, which will be more resistant to noise in the RF environment. This will allow better signal-to-noise (SNR) ratios which will translate to the use of higher data rates and this results in more data transmitted per "timeslot".
I would recommend placing them 2/3 to 3/4 of the way from the center to the perimeter, spaced roughly evenly. Try to get them in or as close to the highest user denisity locations as possible (i.e. conference rooms, etc).
Finally, the additional access points will provide increased reliability. With a single access point, if it were to fail or reboot for any reason, this would create a disruption in service. Having multiple access points should allow for coverage to overlap, allowing service to remain (if degraded) when you have an access point down.
Best Answer
As put in Cisco Networking for Dummies article on Multiple SSIDs with a Single Access Point (AP) (link)