The decrypted metadata will contain the shared secret necessary to calculate it obviously. Even though it's a random number generated by the payer, it still works as a shared secret because both parties know what it is but no one else does.

And in the scenario mentioned by my edit, the payee would first need to calculate the decryption key by multiplying his private key with the public key of the payer, as usual. Then he can decrypt the metadata and figure out the shared secret, or second shared secret if you will.