Certificate Trust Lists (CTL) is a structure similar to CRL, but would usually hold a list of CAs (roots or intermediates) instead of revoked end user certificates.
When mutual authentication with SSL in IIS is configured, both the server and the client match their CTLs which contain a list of trusted root certificate authorities on each side. The intersection of these two groups is used by the browser when it looks for end user certificates in personal storage deriving from one of the CAs in the new list. The browser then provides a selection popup box for the user to choose a certificate from it and use it for client authentication.
A custom CTL may be defined for each website in IIS.