Can't say that I have ever set something like this up, but the instructions to do this with embedded Gaia firewalls is described here:
sk107097: Configuring DHCP relay through Site-to-Site VPN on GAIA embedded Appliances
Also be sure to follow all steps precisely as shown in this SK, as it is a rather lengthy setup:
sk104114: Configuration of IPv4 BOOTP/DHCP Relay using new services
If I'm reading that first SK correctly, for your 5500 firewall you may need a manual NAT rule that ensures the initial DHCP Request is source NATted to the internal IP address of your 5500 on the interface where the DHCP request came in. This internal IP Address must be contained within the 5500 firewall's VPN domain, which therefore will get encrypted into the tunnel to HQ assuming DHCP Relay is properly configured in the Gaia OS of the 5500. Setting the primary address in the DHCP Relay setup to the inside address of the 5500 may do the trick as well.
This NAT setup should be the equivalent of the "use internal IP as source" checkbox mentioned in the first SK, although the fwx_dhcp_relay_nat variable in the second SK might take care of this for you, not sure.
Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones