Alex, I have the same requirement as yours. I guess you do not have problem to configure the IPSEC for the roaming users or site-to-site separately. To have the site-to-site crypto map and romaing users crypto map to the same external interface, the idea is to assign different profile to the same crypto dynamic map.
The following is the main idea :
// profile definition for site-to-site crypto keyring spoke1 pre-shared-key address 0.0.0.0 0.0.0.0 key key@site2site crypto isakmp profile site-to-site_profile keyring spoke1 match identity address 0.0.0.0
// profile definition for roaming users crypto isakmp profile roaming_vpn_profile match identity group roaming_group client authentication list roaming_user isakmp authorization list roaming_group client configuration address respond
// assign them to same dynamic map crypto dynamic-map dynmap 10 set transform-set roaming-transform-set set isakmp-profile roaming_vpn_profile crypto dynamic-map dynmap 20 set transform-set spoke1_transform_set set isakmp-profile site-to-site_profile
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
then you can assign it to your external interface: # crypto map clientmap