Cisco IOS does not pass IP multicast traffic through the encryption process on egress, but does so on ingress, hence the problem.
We had the same issue, albeit using EIGRP, and we changed the ACL to be as follows:
!
ip access-list extended ACL-NAME
deny ip 224.0.0.0 15.255.255.255 any
permit ip any any
!
While this overcomes the problem you mention here it does mean that your OSPF traffic will not be encrypted.
If you're using GRE, why not establish the OSPF adjacency over the GRE tunnel and then use an ACL to encrypt the GRE traffic as follows:
!
ip access-list extended ACL-NAME
permit gre host 192.168.1.1 host 192.168.1.2
!
Regards