The short answer is yes. All you need is an ap-manager interface assigned to port 2 and assign the guest interface to port 2. Keep your vlan tagging straight.
The other longer answer is I would probably not do it. In older codes, these seemed to work just fine. In newer codes, however, we see it more and more where sometimes you cannot pass the guest traffic out the second port for some reason. In fact, I am currently working an issue with a customer right now where we are seeing the WLC drop arp (CSCte67234) for the guest client trying to use Port 2.
I am firm believer that although this can work, the best practice is to use either one port on the WLC for both internal and guest, or a port-channel/LAG with both ports on the WLC going to the same switch, and let the switched network/routers/firewalls handle keeping the guest traffic off your internal network as opposed to "routing around the firewall" by trying to use the WLC like a switch.
Again, you can certainly give it a shot and if you don have any issues, then that is great. If it doesn work, then you might be running into an ARP problem or some other issue with the WLC connected in this fashion.