Using the same AES key for CBC and ECB

As stated in the comments, I would avoid to invent a protocol at all cost and rather try to implement a standardized protocol. Some OTP protocols require the clients to use a second, out-of-band device for receiving the OTP when logging into a server, a common scenario with banks is that upon your login request to the server application the server will send you an OTP to your cellphone. The OTP generators for client and server are typically time-synchronized or counter-synchronized, if I understood correctly you plan to use the latter solution. I didn't find in your description how you would intend to manage the client's counter, on a separate device?

Anyway, I would recommend to use a standardized procedure that has been "tested in the field" rather than rolling my own scheme. HOTP could be what you are looking for - although it uses a keyed HMAC solution rather than symmetric encryption, but this should make things easier as you don't have to worry about the IV anymore.

In any case you should plan early on how you want to accomplish establishing the symmetric keys with your clients. If you can't handle this over a secure channel (such as handing out keys in person) this will become a problem for the security of the entire system.