If you have migrated or upgraded the sites on which you host your CA CRLs and delta CRLs to IIS 7, you may have noticed a (rather frustrating when you're experiencing it) new behavior. IIS 7 will, by default, reject requests containing double escape characters (for example, files containing a "+" sign in the name, such as delta CRLs). While this is a valid, standards-based security feature, the end result is that your clients cannot retrieve delta CRLs from an IIS 7-hosted site unless you change the configuration to allow the double escape character. Do not configure this change server-wide; configure it only on the site(s) hosting delta CRLs. To disable the double escape checking for your CRL site(s), you can use the example below (replace the site name with that of the site hosting your CRLs):
%windir%\system32\inetsrv\appcmd set config "Default Web Site" -section:system.webServer/security/requestfiltering -allowDoubleEscaping:true
There are, of course, other mechanisms for configuring this, but the above is a good, simple way to achieve the desired result.