I read documentation and it says:
By calling the CNSetSupportedSSIDs function, an application can register a list of wireless network SSIDs with Captive Network Support, thereby assuming responsibility for authenticating with those networks. Typically when a user joins a captive network, Captive Network Support provides a web sheet that allows the user to authenticate with the network. If an application has registered the SSID of the captive network, however, the web sheet is suppressed, and the user can complete authentication in the appropriate application
What does "user can complete authentication in the appropriate application' mean exactly?
I am particularly interested in how it should work, if one application has registered to handle capture network and another is trying to access the web, when a user isn't authenticated yet.
It looks like public API doesn't do too much for you. It supress the message, but a user should manually launch another app to login.
However, there is a special entitlement "com.apple.developer.CaptiveNetworkPlugin" which gives you possibility to use bunch of private API's in CaptiveNetwork framework to build a real captive plugin. Some companies work with Apple to do this (https://devforums.apple.com/message/792112#792112). However, it's not a broadly available API.
BTW. Here is some additional information from a guy who reverse engineered one of such apps: http://kalapun.com/posts/reverse-engineering-ios-app/