Theoretically, you could try using VLANs and have the (dedicated?) port feeding the AP as tagged port. This should give you two different subnets on the AP. Not sure how to tell the AP about this but it's probably just a matter of pointing each SSID to the correct VLAN. Haven't tried it, though
I've been locally NATting guests into the LAN. They only need Internet service so double NAT is not a problem. Set up firewall rules to block them from all of your private IPs.