First, the legs refer to the roles involved. A typical OAuth flow involves three parties: the end-user (or resource owner), the client (the third-party application), and the server (or authorization server). So a 3-legged flow involves all three.
The term 2-legged is used to describe an OAuth-authenticated request without the end-user involved. Basically, it is a simple client-server authenticated request in which the client credentials (identifier and secret) are used to calculate a request signature instead of sending the secret in the clear.
Implementation wise, 2-legged request are exactly the same but don’t include an access token or access token secret. These two values are basically empty strings.