The standard Oracle ATG Web Commerce access control servlet specifies the pages that, when requested, should cause the user to be redirected to log in. The CRS-M configuration can be found at:

/atg/dynamo/servlet/dafpipeline/AccessControlServlet.properties

Additionally, a mechanism to disable CRS-M even after it has been included by your CIM setup is provided by /atg/userprofiling/DisableMobileAccess.properties.