Layer 3 tunnel with Dynamic IP address

Since you are using all ASA-X firewalls, I suggest you go with EIGRP and drop the GRE part - configure IPSEC VPN on ASA.

I had about 80+ branch offices connecting to main site with IPSEC VPN (Although tunnels were on routers not on firewalls) EIGRP played really well. EIGRP is much lighter with computations and has better performance than OSPF. Plus EIGRP is lot easier to troubleshoot and configure.

As for GRE you don't have that option (because you have ASA firewalls not routers) and if you ask me GRE is not the way to go with IPSEC VPN anyway.

When the ASA attempts to send traffic out an interface where a crypto map is applied, it will always process the crypto map from top-down, looking for the first match. Therefore, it will always match sequence 11, and never sequence 16. So the behavior you describe above is normal.

One correct way to do this would be to build GRE tunnels with routers, where you can run a dynamic routing protocol to determine the health of the paths. Then, you can wrap the GRE tunnels in IPSec for security. However, you said replacing the hardware is not an option. SDWAN is also another correct solution for this.

But, here's an idea for you, though. If the headquarters never initiates traffic to the remote site (or can withstand an outage when the primary tunnel goes down), you could set it up where the 897 performs NAT on the traffic when it leaves the cellular interface, so that it appears to the HQ that it's a different site. The ASA would then see this "new" site as attached to crypto map sequence 16, instead of 11. This would allow the remote site to maintain connectivity during an outage, but its source addresses would be translated. Then, when the primary internet comes back up, the 897 fails back to the primary path, to the primary tunnel, and to the primary address space. It's a bandaid, but it's an option.