Your NV150/160 APs will need to have an SSID "tied" to a particular VLAN for guest access. The APs must connect to 802.1Q VLAN trunk ports on your 15XX switches which must have the new VLAN configured. The 15XX switches have no firewall capability, so I think it would be best to extend your Guest VLAN to your firewall. This can be done via an 802.1Q VLAN-encapsulated Ethernet link to your firewall or else from a separate interface, depending on the firewall and its capabilities--it's difficult to give advice about this without more information here. The firewall would need to allow Internet traffic to NAT out, but not allow traffic to/from your existing private/trusted/company security zone.
It's important to create the new VLAN in your 15XX switches but not create VLAN interfaces (with IP addresses). Just leave the Layer 2 VLAN in place to pass the segregated Guest traffic to the firewall. See this for more details about VLANs vs. VLAN interfaces: The difference between VLANs and VLAN interfaces
Yeah, today I'm investigating what our WatchGuard XTM can provide for us. I figured after posting that I'd have to rely on our Firewall and do a VLAN without a VLAN interface.
I hope the WatchGuard can stand in as the DHCP server or we're going to be proping up a stand alone DHCP server. Can't use the DHCP server from the 15xx's because we use UDP relay to a window's DHCP server.
Thanks for confirming that I can't do it all with the switches I have.