They are somehow similar to what you have in Windows endpoints personal and trusted root certificates. In ISE the system certificates contain ISE identity certificates that will be presented to other entities such as endpoints, servers, pxGrid peers, SAML IdP, ISE portals, EAP authentication, etc. ISE system certificates could be issued locally in ISE (self-signed) or issued by an external entity and then imported into ISE.

The trusted certificates on the other hand are the certificates that will be used to trust the certificates of the others. For instance, when an endpoint tries to authenticate against ISE with a secure protocol such as EAP-TLS, the client will present its certificate to ISE. If ISE does not trust that certificate it will drop this secure tunnel negotiation. To make ISE trust the endpoint certificate, ISE must have the issuer of the endpoint certificate in the trusted certificate, and it also has to have the client authentication checked. This option will instruct ISE to use that trusted certificate to validate the clients certificates that will be presented during any secure negotiation.

The trusted certificate can also be used to validate the certificate based admin authentication, native IPsec certificate based authentication, and Cisco services authentication. In other words, we don't use the trusted certificates in ISE only for traditional EAP authentications, they could be used for other purposes.

Take a look at this link that has some more info about this:

Configure TLS/SSL Certificates in ISE - Cisco

System Certificate == the one ISE nodes use for communication and to other nodes, endpoints, users, and services.

Trusted Certificate == one that you put into ISE for it to trust other endpoints, users, and services.