Now that I think about it, it seems to me there is another way to achieve the same thing. Since the payee needs to share his full public key (Q), it would be possible for the payer to encrypt data using Q and only the payee would be able to decrypt it. The payer can generate a random number (r), then use that in the same way as the shared secret to generate Q'. Then they encrypt r using Q and embed it as metadata. The payee can scan for transactions by checking if his private key can decrypt the metadata.
EDIT: or better yet, the shared secret is generated the normal way by multiplying the private and public keys together, but we use it as the key for a strong symmetric encryption algorithm to encrypt r instead of using Q to encrypt r, which should be a more secure approach.
There is no orthologous method for ECDSA that you'd use to directly encrypt data to a recipient key as you would with RSA. ECDSA is purely for signing.
What you're describing (using the shared secret for a symmetric cipher) is known widely as Elliptic curve DiffieHellman (ECDH). It overcomes the above limitation. It is used to transmit messages in transactions in some CryptoNote coins, and is widely used in protocols such as SSH and TLS.
http://en.wikipedia.org/wiki/Elliptic_curve_Diffie%E2%80%93Hellman